Understanding Security in Transaction-based Monitoring Tools

I was demonstrating our INETCO Insight product the other day to a prospective partner when he asked “You can actually pick up the credit card number in transactions?”

“Yes” I replied. “That’s great!” he said and we continued with the demo.

INETCO Insight can pick up credit card numbers because we decode application-level messages originating from ATM, POS, online banking, and mobile banking applications using flexible tables that actually pick apart the messages and return individual fields. Each field is mapped to a data dictionary (e.g. Data element 2 in the message is the credit card number) so it can be used to trigger alerts or execute searches.

Our responsibility doesn’t end here. Once the fields are tagged, we apply a security classification. Fields are marked as either:

  1. Forbidden. This information should never be stored or displayed (e.g. Track 2 information on a credit card)
  2. Sensitive. This information must be treated in some way before it’s stored or displayed (e.g. blank out certain digits or replace them with asterisks)
  3. Normal. This information is suitable for display.

Then, forbidden information is dropped (in memory and never swapped to disk), sensitive information is treated (using non reversible methods). Along the way, everything gets encrypted.  All data passing on the wire between the data collectors, the server and the data storage is always SSL encrypted.   

With INETCO Insight, we took another step beyond the wire, implementing a FIPS compliant integration with Thales security hardware. This allows INETCO Insight to tie in seamlessly with even the tightest security architectures out there to make sure forbidden and sensitive information is protected in every way possible.  You are not doing any of the encryption in your programming code, and there is no opportunity to compromise your software system.

We believe this is a critical capability for any network-based application performance monitoring product, so we chose to build early and build well to provide the best possible security. Whether you’re subject to PCI audits like many of our customers, or just careful about the privacy of your customer’s and user’s information, we can provide peace of mind.

So yes, we can actually pick up the credit card number in transactions. And yes, it’s a great feature. But with great features like this come great responsibility.  Make sure you also make hardware encryption a mandatory check box when it comes to investing in your transaction-based monitoring tools.

To learn more about INETCO Insight’s security and encryption policies, email: 

For a demonstration of INETCO Insight, watch this YouTube video: