MAINFRAME > TRENDS > SECURITY

Tokenized Encryption: Batch Interface Call Parameters

batch call parameter
 

My previous article discussed call parameters exchanged between application programs and a cryptographic interface in online systems. A comprehensive cryptographic interface must support multiple processing scenarios, online, batch and system (control); each environment has varying, unique requirements but share common functions like tokenization, decryption and recryption. This article discusses two cryptographic batch methods: performance considerations and call parameters. While this interface is mainframe-based and oriented to CICS Transaction Server (TS), the principles and concepts apply to all processing platforms—syntax, call parameters and implementation may vary.

A call parameter—sometimes known as a link, invocation or branch—is a special kind of program variable used in virtually any language or platform as a universal mechanism for passing information between programs, routines, subroutines, functions, etc. that are of identical or different languages When the called object completes, control passes back to the calling program’s next sequential instruction, with the call parameters providing requested results.

Cryptographic Interface Subsystems

The cryptographic interface contains three basic components:

  1. A control subsystem providing cryptographic utilities, administrative, diagnostic and testing tools. These functions are limited to specific individuals or groups and are infrequently used. Their facilities are crucial components which will be discussed in the next article.
  2. An online subsystem providing real-time tokenization of cardholder data (CHD) and checking account data (CAD) for processes like order entry or authorization. Work is processed and files or databases updated immediately. Workflows are initiated to complete the process and the online subsystem can also enable batch.
  3. A batch subsystem that processes record groups called batches. Because batch and online systems often contend with each other when running concurrently, the cryptographic batch subsystem had to take two different forms. Each needed different functionality that addressed different concerns.
  4. The latter point will be the discussion of the rest of this article.

    Concurrent Batch and Online Processing Issues

    Three key issues exist when running batch jobs alongside online transaction processing systems: performance, data integrity and file or database sharing.

    Online performance is of paramount importance because response time impacts productivity and is degraded when it must compete with batch for CPU cycles, real and virtual storage and I/O functions. Since batch doesn’t involve user interaction, which staggers online resource demands, it quickly consumes large quantities of processor resources. Numerous mechanisms can throttle batch such as prioritization, I/O management, etc. and, ideally, batch should run during periods of low online activity.

    Data integrity is endangered when multiple programs concurrently modify files or databases. Mechanisms like record locks, synchpoints and checkpoints prevent updates from overwriting others, but records become unavailable until locks are freed, degrading processing. Even worse, a phenomenon called “deadly embrace” can occur where two programs have conflicting locks, cause program failures.

    File and database sharing isn’t an issue if a datasharing function is enabled, but without datasharing, only one program at a time can modify a data store with integrity and many file types don’t support datasharing. Most OSes provide file ownership to prevent multiple programs from concurrent file updates.

    Two Flavors of Batch

    Given above concerns and a requirement for running mail-order batch tokenization during peak online activity, it became apparent concurrent batch and online processing was necessary but needed controls; finding a method of token file sharing was mandatory. Two batch variations were implemented:

    • EXCI batch: CICS Transaction Server provides the External CICS Interface (EXCI) which allows non-CICS programs (client program) to call a CICS server program. CICS provides a storage area called COMMAREA for passing data between programs. CICS TS maintains token file ownership, with the batch program accessing data via CICS. This eliminates data store ownership conflicts and CICS provides full data integrity. It imposes substantial processor overhead.
    • Standalone batch: A program acquires and maintains read-only data store ownership via the OS (DISP=SHR). A cryptographic interface program—“twin” to the online program but coded for batch—performs cryptography and file access via CALLs. Since the program is read-only, data integrity is irrelevant and performance is superior to EXCI batch.

    Batch Cryptographic Interface Call Parameters

    Three parameters are passed to the batch cryptographic interface:

    • PCI-RECORDS-TO-PROCESS: A three-byte, numeric field only used for EXCI batch, with a default value of one. It specifies the number of credit card (CC#) and/or CAD numbers in TN001BC-PCI-CARD-OR-TOKEN to be processed before issuing a CHECKPOINT, which releases record locks.
    • PCI-CARDNUM-OR-TOKEN(index): A 16-byte, alphanumeric field contains CHD or CAD for tokenization, returning token number. Order number may also be passed.
    • PCI-REQUEST-MNEMONIC: A three-byte, alphanumeric field contains mnemonic specifying operation to perform, as listed below

Jim Schesvold is a technical editor for IBM Systems Magazine. Jim can be reached at jschesvold@mainframehelp.com.



Like what you just read? To receive technical tips and articles directly in your inbox twice per month, sign up for the EXTRA e-newsletter here.


comments powered by Disqus

Advertisement

Advertisement

2018 Solutions Edition

A Comprehensive Online Buyer's Guide to Solutions, Services and Education.

Application Integration With PCI

The problematic nature of PCI-compliance application integration makes research, analysis and planning important. It can also greatly simplify and reduce the effort involved.

IBM Systems Magazine Subscribe Box Read Now Link Subscribe Now Link iPad App Google Play Store
Mainframe News Sign Up Today! Past News Letters