Compliance with industry security standards
Sterling B2B Integrator provides various security features that ensures compliance with the industry security standards.
NIST 800-131a
- Sterling B2B Integrator conforms to the security requirements for the National Institute of Standards and Technology (NIST) standards as specified in the publication 800-131a.
- You can configure all adapters, services, and components of Sterling B2B Integrator to work in an NIST 800-131 compliance mode.
- To enable NIST 800-131a compliance mode, you must modify the set the value of the property
NIST.800-131a=strictin the install_dir/properties/security.properties file. - The available NIST 800-131a compliance modes are Off, Transition, and Strict.
- Enabling NIST mode enables additional functionality such as refusing to communicate with less secure servers and other best-practices automatically.
- Enable NIST mode by adding
NIST.800-131a=strictto sandbox.cfg. Valid options are strict, transition, or off. - Verify that the sandbox.cfg file has the NIST.800-131a set to
strict.cd install_dir/install/properties grep NIST_MODE sandbox.cfg - Verify that the security.properties file contains
NIST.800-131a=strict- grep NIST.800-131a security.properties - If there are NIST property overrides in customer_overrides.properties and system.properties,
ensure that it says
security.NIST.800-131a.- grep security.NIST.800-131a - Related documentation: National Institute of Standards and Technology (NIST) security compliance
FIPS 140-2
- Enable FIPS mode to ensure that only the cryptographic modules mandated by FIPS 200 is used.
- The Certicom jars (TrustpointProviders.jar and EccpressoFIPSJca.jar) that are distributed with Sterling B2B Integrator are part of Security Builder GSE-Java, which is a FIPS 140-2 validated cryptographic module.
- In compliance with the FIPS 140-2 mandates, Sterling B2B Integrator permits only approved security functions and approved key establishment techniques.
- Enable FIPS mode during installation by selecting TRUE when asked if you want to run in FIPS
mode. You can also enable FIPS mode manually after you install Sterling B2B Integrator by adding
FIPSMode=truein /install_dir/properties/security.properties and security.properties.in files. - Verify that FIPS mode is enabled by ensuring that FIPS_MODE is
TRUEin sandbox.cfg file.cd install_dir/properties grep FIPS_MODE sandbox.cfg - Related documentation: Federal Information Processing Standards (FIPS)
Payment Card Industry (PCI)
The Payment Card Industry (PCI) Data Security Standard (DSS), developed by the founding payment brands of the PCI Security Standards Council, including American Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa International, facilitates the global adoption of consistent data security measures. The PCI DSS Version 3.0 standard lists 12 requirements which retailers, online merchants, credit data processors, and other payment-related businesses must implement to help protect cardholders and their data. The requirements include technology controls (such as data encryption, user access control, and activity monitoring) and required procedures. Most of the requirements focus onsite security, but some of them apply to securing your applications.
This security document provides a consolidated view of all of the security options for Sterling B2B Integrator. As the application owner, you are responsible for ensuring your environment complies to any applicable PCI requirements.
- Payment Card Industry Data Security Standard: https://www.pcisecuritystandards.org/index.shtml
The complete standard can be found at https://www.pcisecuritystandards.org/tech/download_the_pci_dss.htm
- MasterCard Site Data Protection program: http://www.mastercard.com/us/merchant/security/sdp_program.html
- VISA CISP Program Site: http://usa.visa.com/business/accepting_visa/ops_risk_management/cisp.html
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR) streamlines and strengthens the data protection guidelines within the European Union. With its enforcement, GDPR aims to regulate data handling and processing, which includes collection, storage, transfer, and use of personal data. In case of an on-premise application that is used to process data, the application owner or the data controller must implement technical and organisational measures to demonstrate compliance with the GDPR principles.
This security document provides a consolidated view of the security options available in Sterling B2B Integrator. As the application owner, you are responsible for ensuring that your environment complies to all applicable GDPR requirements.
Related documentation: General Data Protection Regulation (GDPR).