You are currently on IBM Systems Media’s archival website. Click here to view our new website.

IBM i > CASE STUDIES > RETAIL

Shear Protection

Regis Corporation cuts credit-card exposure risks with nuBridges Protect


IT Security Officer Bernie Rominski says adopting the PCI DSS model helps Regis Corporation safeguard customer data.

Coming Back Clean

Deployment on IBM i was relatively painless, thanks to Regis’ expertise on the platform, the relative simplicity of the product and some minimal assistance from nuBridges. Deployment on the POS side required a bit more work. “At that time, nuBridges didn’t have shadow-file capabilities on that platform, so that meant we had to expand our database,” Rominski says. “This was because a 16-byte alpha credit-card number in the database had to be 80 bytes to hold a binary encrypted value.”

Deployment to the remote locations went well, and Regis now has a nearly end-to-end credit-card encryption solution in place. When a card is swiped at a location, the card numbers are encrypted before this information is written to the local POS database. It remains encrypted even during the batch upload process using the System p servers and when shuttled to the System i platform. It’s decrypted when transmitted over secure links to the bank for approvals and for specific internal use with authorized users.

When the data is written to tape for backup purposes, it remains encrypted and the associated keys aren’t stored on the tape. “We omit them on purpose, because if we lost a set of tapes, we don’t want the keys to be available with that set,” Rominski says. “Additionally, the nuBridges product won’t authorize on another machine, which makes the data pretty much useless if someone tries to mount it on another system.” The company is now implementing encryption-capable tape drives that encrypt the entire contents of a backup tape as the data is written, providing another layer of protection.

nuBridges also handles key management, a challenge for many security specialists, by generating private keys on the System i server and securely distributing them using public-key technology. Essentially, this means a System i technology-generated symmetric key is used to encrypt the columns of data on the POS. nuBridges then uses an export feature to distribute the keys to the POS application. The symmetric keys are decrypted within the POS application before they can be used.

To prove PCI DSS compliance, Regis also uses a built-in auditing function. Based on configuration, the company can log only encryption activities, decryption activities or both. It can view who’s authorized to see what and whether it’s a full value or a truncated value. “We also run a routine that ensures the integrity of the log file. If it comes back clean, great. If it doesn’t, it sends us an alert that indicates that we should take a look at it. PCI DSS requires a daily log-file review, and we don’t want to do that manually. This tool takes care of that for us,” Rominski says.

With any encryption solution, companies worry about performance hits, especially when the encryption happens on the server. The POS systems complete only one transaction at time so performance wasn’t an issue there. However, when it came to the batch processing of daily transactions on the System i side, Regis had reason to be concerned. “We thought it might double the amount of time to conduct particular transactions, and therefore, we might blow our entire daily processing window,” Rominski says. “As it turned out, it barely made a dent in our daily processes. I don’t know how nuBridges did it, but it’s pretty amazing.”

No Excuses

Although many organizations see security regulations and laws as a hindrance, Regis doesn’t. It’s embraced encryption. “I’m actually happy that PCI DSS came along, because no matter how much security you have in place, you’re going to end up with a certain amount of risk. PCI DSS helps address some of those risks and it gives you a security framework,” Rominski says.

Now that Regis has become comfortable with encryption, it plans on rolling it out in other operations within the company. For example, it’s considering using nuBridges to encrypt sensitive employee and vendor data, something it might not have considered before. “It’s getting to the point that more and more companies are saying, ‘Gosh, I can’t believe we’ve handled that data so lackadaisically.’ There’s no excuse for that anymore,” Rominski says.

Jim Utsler, IBM Systems Magazine senior writer, has been covering the technology field for more than a decade. Jim can be reached at jjutsler@provide.net.



Advertisement

Advertisement

2019 Solutions Edition

A Comprehensive Online Buyer's Guide to Solutions, Services and Education.

A Reason to Celebrate

Phantom Fireworks teams IBM System i hardware with a BI solution and ERP software to launch reports.

A Valuable Resource

Motta Internacional uses ACOM products to decrease paper use and save trees

IBM Systems Magazine Subscribe Box Read Now Link Subscribe Now Link iPad App Google Play Store
IBMi News Sign Up Today! Past News Letters