Improves Security

November 14, 2022

Reasons to Swap Out Your Current Credit Card Solution and replace it with PaymentCardXpress® (PCX) - #1 Improves Security

PCX has been confirmed by CoalFire, a PA-DSS QSA, to be Out-Of-Scope. For details on what we do and don’t do relative to PCI DSS please see our blog entry PCI DSS Validation.

CFXWorks' CEO, Al Nickles, spent 25 years at IBM. He was the inventor of IBM's System Application Architecture (SAA) and of MQ Series and ran the initial MQ Series development lab.  Shortly after leaving IBM, he formed CFXWorks as a consulting and services company that functioned as a sub-contractor to both IBM and HP. For several years CFXWorks focused on designing and developing secure messaging solutions for government agencies and businesses that had specialized needs relative to security.

In 2001, CFXWorks received a request from a customer to develop a payment gateway. It began with a 250-page specification from NOVA Information Systems, now called Elavon. Incidentally, a payment gateway is an example of a secure messaging solution that implements a messaging protocol and syntax that is proprietary to the payment card processor.

Over the past seventeen years, CFXWorks has developed payment gateways supporting Elavon, Paymentech, Vital, First Data, Global Payments, Authorize.Net, American Express, and TSYS. Our encryption and payment offerings are installed by over 500 organizations.

CFXWorks learned by experience that the design and development of a secure messaging system begins with the design, development, and validation of a security model. We build our payment solutions on top of our security model using a design that we have refined over the past twenty-seven years. Our development process is a bottoms-up build process starting at the base with all the security components in place. Some vendors do the opposite starting by designing and building their solution then, attempting to insert security. This is a tops-down approach somewhat like closing the barn door after the horse got out. Our security model defines an integrated security architecture that contains the following components:

  • An Identity Access Management System (IAM) – Our software is implemented using an Identity Access Management System (IAM) that performs authorization and authentication at the user and transaction level. The IAM controls who has access to what, for example, what transaction types does each user have access to.
  • 2 Factor Authentication – Users logging in from any browser must enter a PIN value that matches the one displayed. This technology is called 2 Factor Authentication and it is required by PCI-DSS for users accessing a payment solution across public networks.
  • An Audit Trail – An audit trail tracks each user and each transaction documenting the transaction request and response. This is also a PCI-DSS requirement.
  • Strong EncryptionPCX encrypts its’ configuration files using 256-bit AES encryption to prevent tampering by unauthorized individuals. CFXWorks also provides PCX users access to the PCX encryption engine for use by the merchant for their own purposes.
  • Tokenization – Tokenization is a technology used to replace actual card data with a unique ID. PCX acquires the token from Elavon. The merchant can process transactions using the token rather than the Primary Account Number (PAN).
  • Point-To-Point Encryption (P2PE) – P2PE is implemented by Elavon’s Fusebox and Simplify gateways. P2PE is deployed to secure “data-in-flight”, for example, data as it moves between the pinpad and Elavon. Users not requiring EMV can use pinpads that do not support the EMV chip but still support P2PE. PCX supports P2PE using a variety of P2PE and EMV enabled pinpads supported by Elavon and their Fusebox and Simplify gateways.
  • Europay, MasterCard and Visa (EMV) standard - EMV is sometimes referred to as the “chip-on-the-card.” Organizations wishing to avoid the “shift in liability issue imposed by the card associations, may choose to implement EMV. PCX supports EMV using a variety of EMV enabled pinpads supported by Elavon and their Fusebox and Simplify gateways.
  • TLSv1.2  - The Payment Card Industry Data Security Standard Version 3.1 dated April 2015 required that merchants disable SSL and use only either TLSv1.1 or TLSv1.2 for their internet connection to their processor. PCX supports TLSv1.2.

Note that CFXWorks defined our original security model over twenty-seven years ago and continues to refine it every year. Our CreditCardXpress™ and PaymentCardXpress® offerings implemented predecessors of our current security model. To our knowledge, neither of these payment solutions have ever been compromised.