Enterprise Executive — November December 2012
With a large and ever-increasing quantity of adults ready to shop online or in-store, credit card in hand, retailers must equip themselves to process millions of payments in a manner that meets Payment Card Industry Data Security Standard (PCI-DSS) policies.
"There are more than 200 million active credit cards in circulation in the U.S. alone," says Vishal Jain, analyst, Mobile Technologies, the 451 Group.
IBM outfits retailers with state-of-the-art IT infrastructure, including System z mainframes, z/OS, and IBM middleware and software, that speed and secure transactions while increasing efficiencies and lowering costs.
"Depending on the design of the payment card processing application, various IBM software may be involved," says Todd W. Arnold, senior technical staff member, IBM Cryptographic Coprocessor Development. The IBM mainframe with z/OS is the bedrock of the payment processing solution.
An intelligent, well-defined transaction processor, the IBM z10 Business Class (BC) mainframe is a centralized system with robust logging and controls. With the z10 BC, tasks run as individualized, independent resources, each with its own pre-defined hierarchies. These features rein in system errors, ease management, and enable administrators to see and control what each task is doing.
With up to 96 physical chip cores that enable hardware scaling, the z10 BC scales more simply and cost-effectively than x86 systems, which require additional blade servers to scale payment card transaction processing. The z10 BC uses IBM's parallel sysplex capabilities to scale the payment system software without having to partition the DB2 10 for z/OS database.
The parallel sysplex connects large numbers of processors and operating systems to achieve scaling. On the sysplex, IBM's DB2 10 scales up to process increasing numbers of transactions while running on large single images, so the retailer doesn't have to run multiple applications on different images. The DB2 Query Optimizer adds to the transaction processing speed by enabling faster queries.
Applications on the z10 BC must intercommunicate. Versions 5 and 6 of IBM's WebSphere MQ software let two or more nodes talk to each other and provide messaging transport inside the mainframe during payment processing. Using WebSphere MQ, a form of messaging-oriented middleware, programs move payloads and messages between each other with guaranteed delivery.
To guarantee delivery, the sending node waits for a receipt confirmation from the receiving node. If the communication link between the two breaks, the sender saves the message and resends after the communication link re-establishes itself.
Securing the Process
The PCI-DSS security requirements are twofold. First, the PCI standard requires secure networks for payment processing. To meet this requirement, the System z memory architecture limits application access to the mainframe's memory so that one application can't act on data or processes reserved for another. Another key component is Resource Access Control Facility (RACF), IBM's user identification, authentication, and authorization software.
"RACF controls all system processes, preventing application access to unauthorized areas of memory," says Jeff Josten, Information Management Distinguished Engineer for DB2 for z/OS Development. RACF also controls tampering by insiders.
Second, the PCI standard requires retailers to protect cardholder data. IBM DB2 10 protects cardholder data from access by unauthorized parties. In addition to RACF, DB2 10 and the z10 BC mainframe offer Secure Sockets Layer (SSL), Application Transparent Transport Layer Security (AT-TLS), Internet Protocol Security (IPsec), and industry standard encryption.
The IBM mainframe offers more encryption than any other platform available for payment card processing. "Encryption for data at rest and on the wire is 256-bit," says Josten. DB2 offers both built-in, high-performance encryption and column-level encryption.
The Hardware Security Module (HSM) also protects cardholder data. The HSM (IBM's Crypto Express3) is mandatory for processing the complex cryptographic operations required in every payment transaction, and for generating and managing the cryptographic keys used to secure the payments system, according to Arnold.
"Sensitive payment card operations are performed inside the tamper-responding Crypto Express3 coprocessor," explains John Dayka, RACF software architect.
IBM's HSMs meet the Federal Information Processing Standards (FIPS) at the highest physical security level, FIPS 140, Level 4. IBM has been building and supporting these HSMs for almost 25 years.
"On System z, the Crypto Express HSMs are tightly integrated into the overall server infrastructure and are designed to work seamlessly with it," says Arnold. "The IBM HSM products are designed with System z reliability and error checking, unlike HSM products from other vendors."
A retailer can have the same confidence in an IBM HSM they have in System z.
Increasing Efficiencies, Lowering Costs
Retailers are increasing operating efficiencies and lowering IT costs by applying IBM mainframes. The z10 BC mainframe increases operating efficiencies by providing dedicated central processors, configuring specialty engines, and using specialty processors such as System z Application Assist Processors (zAAPs) and System z Integrated Information Processors (zIIPs). zIIPs and zAAPs help users cost-effectively increase throughput for database applications.
Data localization leverages the added throughput. System z, z/OS, and IBM middleware comprise an integrated stack. Because the data and applications are local on that stack, payment card processing workloads benefit because the data doesn't need to travel off the system. This reduces the risks of moving data across networks and disclosing it to other parties, Dayka explains.
The IBM mainframe lowers IT costs through the highest uptime available in the industry with most systems staying up for years at a time, according to Josten. Because mainframe-based payment systems offer 99.999-percent availability while processing thousands of transactions per second, retailers see considerable Return on Investment (ROI). "One IBM customer processes 15,000 transactions per second," says Josten.
Uptime and robustness are the core strengths of the IBM mainframe. IBM's sysplex puts multiple systems to work supporting the data and is essential to the mainframe's excellent reliability. "You can pull one system out and the rest of the workload will run," says Josten. "You can have a DB2 member down for planned maintenance and still be up. You can migrate from one DB2 version to a new one without taking the system down or experiencing any failures."
IBM has engineered System z to operate even if components such as power supplies or Central Processors (CPs) fail. "Retailers can replace hardware components or verify them as offline without interrupting service," says Karl Cama, CTO, Retail Industry, IBM.
In addition to uptime, the mainframe cuts per-core licensing costs by a ratio of up to 28:1 compared with x86 server licensing, according to Cama. The z10 lowers power and cooling costs by up to 90 percent through virtualization and consolidation. The z10 BC mainframe has the same capacity as 232 x86 blade servers and can replace them with an 83 percent smaller footprint than the comparably powered x86-based configuration, Cama explains.
The IBM mainframe cuts costs through consolidation. The System z10 BC reduces Total Cost of Ownership (TCO) by up to 80 percent, according to Cama, by consolidating data from x86 blade servers to the mainframe and using virtualization.
The z10 BC, DB2 10 for z/OS, and WebSphere MQ software form a basis for swift, secure payment card transaction processing. Vendors globally are using this to support card processing for Visa, MasterCard, and Europay cards as well as smart cards with embedded chips. Vendors are rolling out e-commerce on the IBM mainframe in several countries in Europe to process multiple cards in multiple languages and with various currencies, according to Cama.
Retailers that want further insight from users could ask most leading banks what they're able to achieve with their IBM mainframes.