Mainframe Users Struggle With New Compliance Measures

The widespread use of mainframes in Australia’s financial servicessector is hindering credit card merchants and providers from complyingwith new standards introduced by Visa and MasterCard.

Last week Visa and MasterCard combined trading standards under theumbrella of the Payment Card Industry Data Security Standard (PCIDSS),a move applauded by security analysts.

However, mainframes, typically the backbone of heavy transactionenvironments, cannot encrypt data which is one of the compliancemeasures required under the new standard.

Visa’s head of third-party assurance, Edward Lodens, said in themainframe world, the process of encrypting data is very difficult, eventhough associated costs are falling.

“Some noncompliance issues are in encrypting transactional data (frommainframe transactions) as it is difficult to do, and costly; but thecosts are falling,” Lodens said.

While security professionals applauded the decision by Visa andMasterCard to combine two different data security standards into one,they also admitted the cost of mainframe encryption is prohibitive.

Drazen Drazic, managing director of Security Assessment.com said Visaand MasterCard have underestimated the impact it will have on a lot oforganizations forced to encrypt transaction data.

“The fact that the mainframe data must be encrypted as part of thecompliance process will hurt a lot of companies already trying tostruggle with compliance,” Drazic said.

“Retrofitting encryption into legacy-type systems is going to cost anarm and a leg – if you think about large billing systems like telcosfor instance – these larger organizations need some sort of tighteraccess controls, but at least they will be taking the direction a lotof other organizations are doing in regards to compliance.”

Another security professional also applauded the introduction of asingle set of compliance rules, claiming it eliminates confusion formerchants.

Neal Wise, security professional and managing director ofAssurance.com, said it was previously a big pain for some merchantssimply to meet multiple requirements.

“I am glad to see Visa and MasterCard have unified their two programs,as there was a lot of compliance to meet for payment processes andother third parties,” Wise said.

“This eliminates the expense and effort of meeting two standards.”

Bruce Mansfield, Visa International general manager for Australia, saidthe overall incidence of card fraud in Australia – which is estimatedto cost the economy more than A$100 million (US$75 million) each year -has actually declined.

“Visa’s sales volume has more than doubled over the past six years, butover the same period, our fraud rate has halved,” he said. In the firstquarter of 2005, card fraud in the Asia-Pacific region fell to anhistoric low of 0.03 per cent.

Visa’s Account Information Security (AIS) program also provides a free security assessment service to merchants.

Big iron is not dead

Unisys systems and technology general manager David Ireland believesbig iron is destined for a resurgence. “There is more commoditizationnow in the manufacture of mainframes – 30 years ago they used to takeup a tennis court, but today they can look like a three-drawer filingcabinet but they can scale,” Ireland said. “With a server you can justbuy more units and stick them together in a grid, but you still needsystem management and that is where the costs blowout, while bladessuffer from cooling problems.” Contrary to analysts’ claims that themainframe is fading fast, even customers say they are sticking with bigiron.

A National Australia Bank spokesman said the organization will certainly be sticking with mainframes in the foreseeable future.

By Michael Crawford – Computerworld Today (Australia)