Securing Payment Transactions on HPE NonStop Systems: Ensuring Compliance and Protecting Integrity

Introduction

In the realm of financial services, securing payment transactions is paramount. The evolution of technology and the increasing sophistication of cyber threats necessitate robust security measures. HPE NonStop systems have been a cornerstone in ensuring high availability and reliability for financial transactions. This article delves into securing payment transactions on HPE NonStop systems, highlighting the importance of PCI DSS 4.0 compliance, and the strategic partnership between comforte AG and ACI Worldwide for seamless and secure payment processing.

The Importance of Securing Payment Transactions

Securing payment transactions is essential for several key reasons, each playing a crucial role in the overall integrity and reliability of financial operations:

Data Protection – In the financial industry, sensitive data, such as credit card numbers (PANs), personal identification numbers (PINs), and other personally identifiable information (PII), must be protected against unauthorized access and breaches. Compromising this data can lead to identity theft, financial fraud, and significant losses for both consumers and financial institutions.

Trust – Trust is the cornerstone of any financial relationship. Customers need to be confident that their financial information is safe. If an institution fails to protect this information, it can lead to a loss of customer trust, which can be difficult to rebuild. Ensuring robust security measures are in place helps maintain and strengthen this trust.

Regulatory Compliance – Financial institutions are required to comply with various regulations and standards, including PCI DSS, which mandates stringent security measures to protect payment card data. Non-compliance can result in hefty fines, legal action, and other penalties, making it imperative to adhere to these regulations.

Reputation – A single data breach can severely damage an institution’s reputation, affecting customer loyalty and attracting negative media attention. Maintaining a strong security posture helps protect the institution’s reputation and preserves its brand integrity.

Operational Continuity – Financial institutions rely on uninterrupted service to maintain customer satisfaction and operational efficiency. Security incidents can disrupt operations, leading to downtime, loss of revenue, and customer dissatisfaction. Robust security measures ensure operational continuity and reliability.

PCI DSS 4.0 Compliance: Why It’s Essential

PCI DSS 4.0 is the latest iteration of the Payment Card Industry Data Security Standard, bringing more stringent requirements and enhanced security measures to address the ever-evolving threat landscape, thereby ensuring that payment transactions are secure.

PCI DSS 4.0 has been in effect since 1 April 2024 with some requirements being flagged as ‘best practice’ until 1 April 2025 when these requirements become mandatory.

Under PCI DSS 4.0, the protection of Primary Account Numbers (PANs) is more stringent than ever. PANs are the most sensitive piece of cardholder data, and their exposure can lead to significant financial fraud and identity theft. Therefore, it is crucial to secure PANs not only during transmission but also when they are stored.

Requirements and Challenges

1. Encryption and Tokenisation: PCI DSS 4.0 mandates the use of strong encryption and tokenization methods to protect PANs. Encryption converts PANs into unreadable ciphertext using cryptographic algorithms, while tokenization replaces PANs with non-sensitive equivalents (tokens) that cannot be reversed without access to the tokenization system.
2. Volume-Level Encryption Not Permitted: While earlier versions of the PCI-DSS standard also required application-level protection of cardholder data to render the PAN unreadable wherever stored, many organizations still achieved PCI certification without it by implementing so-called “compensating controls.” Those controls typically included Volume-level encryption (VLE), which encrypts entire disk volumes or storage areas. This method does not provide granular protection of individual data elements. Furthermore, once the encrypted disk is mounted on the operation system level, it allows the same level of plain text access as an unencrypted disk. With the advent of PCI-DSS 4.0, compensating controls such as VLE are not permitted anymore, and organizations must implement application-level protection by the end of March 2025.

Key Updates in PCI DSS 4.0

The new version of the PCI DSS standard (PCI DSS 4.0) will become the only active version as of 1 April 2025. The key updates are:

Enhanced Security Controls – PCI DSS 4.0 places a greater emphasis on risk management and comprehensive security strategies. This includes adopting a proactive approach to identifying and mitigating risks before they can be exploited.

Expanded Multi-Factor Authentication (MFA) – MFA is now required in more scenarios, ensuring that only authorized individuals can access sensitive systems and data. This helps prevent unauthorized access, even if login credentials are compromised.

Improved Encryption Standards – Stronger encryption methodologies are mandated to protect data both in transit and at rest. This ensures that even if data is intercepted, it cannot be easily decrypted and misused.

Regular Penetration Testing – PCI DSS 4.0 requires more frequent and thorough penetration testing to identify and address vulnerabilities. This proactive approach helps institutions stay ahead of potential threats and ensures their systems remain secure.

Why Start Addressing PCI DSS 4.0 Now?

Time is running out quickly, and proactively addressing PCI DSS 4.0 compliance is critical for several reasons:

• Future-Proofing —By adopting the latest standards early, institutions can future-proof their security measures, ensuring they remain compliant with upcoming regulatory changes. This proactive approach prevents last-minute scrambles to meet compliance deadlines.
• Risk Mitigation — Addressing compliance requirements early reduces the window of vulnerability to emerging threats. Early adoption allows institutions to identify and remediate potential security gaps before they can be exploited.
• Competitive Advantage —  Demonstrating a commitment to the highest security standards can differentiate an institution from its competitors. Customers are more likely to trust and engage with institutions that prioritize security and compliance.
• Customer Confidence —Ensuring customer data is protected under the latest security standards helps build and maintain customer confidence. This is especially important in an era of prevalent data breaches and cyber threats.
• Cost Efficiency — Addressing compliance incrementally allows institutions to spread out costs and reduce the financial impact on operations. This approach also enables better planning and resource allocation for security initiatives.

Checklist for a Solution that Fully Covers PCI DSS 4.0

By following this checklist, financial institutions can establish a robust security framework that aligns with PCI DSS 4.0 requirements, ensuring comprehensive protection for payment transactions and sensitive cardholder data.

• Data Encryption and Tokenization
  • Implement strong encryption and tokenization for all PANs.
  • Ensure encryption methods meet or exceed PCI DSS 4.0 requirements.
• Protection of Intermediate Files
  • Encrypt or eliminate intermediate files like EXTRACT and REFRESH files.
  • Avoid intermediate files completely by initiating their transfer ‘on the fly’.
  • Ensure all temporary data stores containing PANs are protected.
• De-Tokenization on the Fly
  • Implement secure de-tokenization processes that can be executed in real-time during data transfer, replication, and disaster recovery.
• Multi-Factor Authentication (MFA)
  • Apply MFA for all access to systems that process or store PANs.
• Access Controls
  • Implement strict access controls based on the principle of least privilege.
  • Regularly review and update access permissions.
• Regular Penetration Testing and Vulnerability Assessments
  • Conduct frequent penetration testing and vulnerability assessments.
  • Address identified vulnerabilities promptly.
• Continuous Monitoring and Alerts
  • Deploy continuous monitoring solutions to detect suspicious activities.
  • Set up real-time alerts for potential security incidents.
• Automated Key Management
  • Utilize automated solutions for encryption key management, including generation, distribution, rotation, and revocation.
• Compliance Reporting and Auditing
  • Implement comprehensive reporting tools to maintain and demonstrate PCI DSS compliance.
  • Conduct regular audits to ensure adherence to security standards.
• Scalable and Transparent Integration
  • Ensures security solutions integrate seamlessly with existing systems and workflows without significant changes to application code.
  • Provide scalability to accommodate growing data volumes and evolving security requirements.

comforte and ACI Worldwide Partnership – here to help with achieving PCI DSS 4.0 compliance

comforte and ACI Worldwide have partnered to provide comprehensive security solutions for HPE NonStop systems to ACI’s customers, addressing the complex needs of financial institutions. The partnership is based on comforte’s successful implementation of its solutions at many ACI BASE24 and BASE24-eps customers.

Over 35 customer sites worldwide trust comforte’s Data Security Platform on HPE NonStop, including 3 of 5 PCI Council founding members.

Benefits of the Partnership

The partnership brings several benefits to financial institutions:

Comprehensive Security – By integrating a data protection solution with ACI’s payment processing platforms and ACI’s On Demand offering, financial institutions can ensure end-to-end security. This comprehensive approach supports all platforms on which BASE24-eps runs (including a mix of payment solutions and platforms), and covers all stages of data handling, from capture to storage and processing.

Transparent Integration – The solutions are designed to integrate seamlessly with existing HPE NonStop systems, minimizing disruption and ensuring smooth transitions. This transparency allows institutions to enhance their security posture without significant changes to their infrastructure.

Ease of Implementation – Pre-configured solutions and expert support simplify the deployment process. Institutions can quickly implement security measures without extensive downtime or resource allocation.

Customer Success Stories – The partnership has a proven track record of success, with numerous clients achieving enhanced security and compliance. These success stories demonstrate the effectiveness and reliability of the solutions.

Security Without Gaps

A perfect solution is meticulously designed to ensure ‘security without gaps’ by addressing every potential vulnerability point in the data lifecycle.

This includes protection of intermediate files that might contain PANs in clear text, such as EXTRACT files used for sending transaction data off NonStop systems or REFRESH files utilized for importing cardholder account data.

Such a solution offers comprehensive encryption and tokenization, safeguarding these intermediate files from unauthorized access or breaches. Additionally, it provides ‘de-tokenization on the fly,’ a sophisticated feature that allows secure and efficient de-tokenization during data transfers, disaster recovery, and replication processes.

This capability is particularly challenging to implement with standard tools such as file transfer, disaster recovery, and replication tools like Golden Gate and DRnet, making it a critical asset for achieving PCI DSS 4.0 compliance. Ensuring security without gaps is critical in protecting payment transactions.

The solution supports all file formats (BASE24 or custom) with PANs in variable positions in the data record, including ISO8683 message formats.

It also allows the processes to be instrumented in such a way that data can be written or read directly to or from a remote system without saving it to an intermediate file (e.g. transfer of the extracted data via SFTP to the target system ‘as it would be written to the local file).

Transparent Integration and Ease of Implementation

One of the partnership’s standout features is the ease of integrating their respective solutions with HPE NonStop systems. This seamless integration ensures institutions can bolster their security measures without significant disruptions to their operations.

Integration Features

The solutions are designed to integrate with minimal configuration changes, allowing for quick and efficient deployment. This reduces the need for extensive modifications to existing systems, ensuring a smooth transition. They enable automated data migration from plain data to tokenized data without system downtime.

The solutions are scalable, allowing institutions to easily accommodate growing transaction volumes and evolving security requirements. This scalability ensures that the security measures can grow with the institution. They are compatible with a wide range of payment processing applications and environments, ensuring that they can be effectively integrated into diverse operational setups.

Ease of Implementation

The solution comes pre-configured, reducing the time and effort required for implementation. This pre-configuration ensures that institutions can quickly deploy the solutions and start benefiting from enhanced security measures.

Institutions have access to a team of experts who provide support throughout the deployment process. This expert support ensures that any issues or challenges are promptly addressed, facilitating a smooth implementation.

Comprehensive training programs and resources are available to equip internal teams with the necessary skills and knowledge. This training ensures that teams can effectively manage and maintain the security solutions, maximizing their effectiveness.

There is no need to update the source code of existing applications to comply with PCI DSS 4.0, which can be financially and technically challenging.

The Need for a Transparent Solution

Given the challenges associated with modifying source code, a transparent solution that can orchestrate security measures without requiring significant changes to existing applications is essential.

Implementing a middleware solution sitting between the application and the data storage can transparently encrypt and tokenize PANs. This approach allows institutions to meet PCI DSS 4.0 requirements without altering the application code.

Solutions that operate at the application level but do not require changes to the application itself can ensure that data is encrypted or tokenized as the application processes it. This can be achieved through APIs or libraries that integrate seamlessly with existing systems.

Utilizing cloud-based or on-premises security services that handle encryption, tokenization, and key management transparently can provide an efficient path to compliance. These services can be integrated with existing infrastructure through standardized interfaces.

Implementing automated key management solutions that handle the lifecycle of encryption keys, including generation, distribution, rotation, and revocation, can simplify compliance and reduce the risk of human error.

Customer Success Stories

Several financial institutions have successfully implemented such solutions, achieving enhanced security and compliance.

Case Study 1: Global Bank

A global bank faced challenges in securing its transaction processing environment while ensuring compliance with evolving regulatory standards. By implementing a data protection solution, they achieved:

• Enhanced Security- The integration of encryption and tokenization provided comprehensive protection for payment data, significantly reducing the risk of breaches.
• Improved Compliance – The bank achieved full compliance with PCI DSS requirements, including the latest 4.0 standards, ensuring they met all regulatory obligations.
• Operational Efficiency – The streamlined processes and reduced compliance-related overhead allowed the bank to operate more efficiently, focusing resources on core business activities.

Case Study 2: Regional Payment Processor

A regional payment processor needed a robust solution to protect customer data and meet stringent security requirements. The solution provided:

• Data Protection – The secure handling of sensitive data across all transaction stages minimizes the risk of data exposure and breaches.
• Regulatory Compliance – The processor achieved adherence to PCI DSS and other regulatory frameworks, ensuring they met all compliance requirements.
• Customer Trust – The enhanced security measures increased customer confidence in the safety of their transactions, fostering stronger customer relationships.

Conclusion

Protecting PANs in compliance with PCI DSS 4.0 requires robust and granular security measures that go beyond volume-level encryption. Financial institutions face significant challenges in updating their source code to meet these requirements, including high costs, technical complexity, and potential operational disruptions.

The partnership between comforte and ACI Worldwide provides a transparent data protection solution that addresses these challenges effectively. By leveraging advanced encryption, tokenization, and seamless integration capabilities, this solution enables institutions to achieve PCI DSS 4.0 compliance without the need for extensive code modifications.

This approach not only enhances security but also ensures operational continuity and efficiency, helping institutions protect sensitive data and cost-effectively maintain customer trust.

Proactive compliance, rigorous security measures, and strategic partnerships are the keys to not only meeting regulatory requirements but also to achieving long-term success in the financial services industry. By starting now to address PCI DSS 4.0 compliance and leveraging advanced security solutions, financial institutions can mitigate risks, enhance customer confidence, and maintain a competitive edge.