The widespread use of mainframes in the financial services sector is hindering credit card merchants and providers from complying with new standards introduced by Visa and MasterCard.
Last week Visa and MasterCard combined trading standards under the umbrella of the Payment Card Industry Data Security Standard (PCIDSS), a move applauded by security analysts.
However, mainframes, typically the backbone of heavy transaction environments, cannot encrypt data which is one of the compliance measures required under the new standard.
Visa's head of third-party assurance, Edward Lodens, said in the mainframe world, the process of encrypting data is very difficult, even though associated costs are falling.
"Some non-compliance issues are in encrypting transactional data (from mainframe transactions) as it is difficult to do, and costly; but the costs are falling," Lodens said.
While security professionals applauded the decision by Visa and MasterCard to combine two different data security standards into one, they also admitted the cost of mainframe encryption is prohibitive.
Drazen Drazic, managing director of Security Assessment.com said Visa and MasterCard have underestimated the impact it will have on a lot of organizations forced to encrypt transaction data.
"The fact that the mainframe data must be encrypted as part of the compliance process will hurt a lot of companies already trying to struggle with compliance," Drazic said.
"Retrofitting encryption into legacy-type systems is going to cost an arm and a leg - if you think about large billing systems like telcos for instance - these larger organizations need some sort of tighter access controls, but at least they will be taking the direction a lot of other organizations are doing in regards to compliance."
Another security professional also applauded the introduction of a single set of compliance rules, claiming it eliminates confusion for merchants.
Neal Wise, security professional and partner of Assurance.com.au, said it was previously a big pain for some merchants simply to meet multiple requirements.
"I am glad to see Visa and MasterCard have unified their two programs, as there was a lot of compliance to meet for payment processes and other third parties," Wise said.
"This eliminates the expense and effort of meeting two standards."
Bruce Mansfield, Visa International general manager for Australia, said the overall incidence of card fraud in Australia - which is estimated to cost the economy more than $100 million each year - has actually declined.
"Visa's sales volume has more than doubled over the past six years, but over the same period, our fraud rate has halved," he said. In the first quarter of 2005, card fraud in the Asia-Pacific region fell to an historic low of 0.03 per cent.
Visa's Account Information Security (AIS) program also provides a free security assessment service to merchants.
Big iron is not dead
Unisys systems and technology general manager David Ireland believes big iron is destined for a resurgence. "There is more commoditization now in the manufacture of mainframes - 30 years ago they used to take up a tennis court, but today they can look like a three-drawer filing cabinet but they can scale," Ireland said. "With a server you can just buy more units and stick them together in a grid, but you still need system management and that is where the costs blowout, while blades suffer from cooling problems." Contrary to analysts' claims that the mainframe is fading fast, even customers say they are sticking with big iron.
A National Australia Bank spokesman said the organization will certainly be sticking with mainframes in the foreseeable future.