We have just been notified that we need to be compliant with Visa's CISP (Cardholder Info Security Program). We...
need to encrypt credit card numbers on our iSeries files. Does OS/400 have encryption/decryption capability (i.e. use a command to encrypt/decrypt)? If not, do we need to buy software? I hear about Triple DES being available on the iSeries. What do we have to do to utilize it? Where do we begin?
You and many others are being forced to deal with the need to encrypt cardholder data. OS/400 does have encryption capabilities. If you want to tackle this issue on your own, you will want to use either the programming APIs that perform encryption functions (these ship with the operating system) or use a hardware crypto card that is supported on iSeries (at additional charge). The APIs are easier to use, but the hardware card has the advantage of having built-in key (encryption key) management. That's one of the biggest and trickiest issues that you will face implementing encryption – managing the encryption key. You can find more information on both the software encryption APIs and the hardware crypto card on the IBM Information Center website at IBM Information Center. If you don't want to tackle this issue yourself, there are several vendors that offer encryption solutions for iSeries. At least one, Patrick Townsend and Associates provide key management functionality with their product. I suggest that you research the vendor products available and the options that come from IBM and determine which works best for your organization's programming and security administration skills and resources.
The Best Web Links: tips, tutorials and more.
Search400's targeted search engine: Get relevant information on security.
Ask your systems management questions--or help out your peers by answering them--in our live discussion forums.
Check out this Search400.com Featured Topic: Top ten security tips
Visit the ITKnowledge Exchange and get answers to your security questions fast.
Dig Deeper on iSeries system and application security
Related Q&A from Carol Woodbury
Before changing password levels and upgrading operating systems on the AS/400, ensure the clients connecting to the NetServer do not need the old ... Continue Reading
Look in the audit journal (QAUDJRN) on the AS/400 for an authority failure message with the name of the library as the object name. Use the ... Continue Reading
When error messages arise concerning attempts to use a permanent system object without authority, find the source of the issue by looking for an AF ... Continue Reading