Banco Itaú minimizes fraud exposure with integrated cryptography on IBM System z

Overview

Banco Itaú’s adoption of new smart-card technology

was successfully helping to protect customer
Published on 17-Dec-2007 accounts against fraud, but was putting a heavy strain
Validated on 01-Jun-2009 on its authentication systems. As more and more
customers switched over to the new cards, the bank
Customer: realized that it would need a more scalable solution.
Banco Itaú
Business need:
Industry: Banco Itaú wanted to improve the performance and
Banking scalability of its authorization processes to support
the move to EMV (Europay, Mastercard and VISA)
Deployment country: standard.
Brazil
Solution:
Solution: Following successful tests, Banco Itaú selected the
Managing Business Infrastructure, Security IBM Crypto Express2 card for the IBM System z™
platform.

Benefits:
Fully integrated solution for smart-card
authorization; fast and highly secure processing;
improved reliability and performance; highly
scalable solution supports the rapid rollout of chip-
and-pin technology, which will help to improve
security for Banco Itaú’s customers.
Case Study

Established in 1945 in Brazil, Banco Itaú is a privately owned bank with operations across North and South
America and in Europe. In Brazil, the bank has around 3,000 branches and more than 42,000 employees managing
15 million checking accounts and 9 million savings accounts.
Banco Itaú’s adoption of new smart-card technology was successfully helping to protect customer accounts against
fraud, but was putting a heavy strain on its authentication systems. As more and more customers switched over to
the new cards, the bank realized that it would need a more scalable solution.

According to Banco Itaú, the increasing load on its existing solution was beginning to cause problems with
performance and reliability. Furthermore, the liability agreement undertaken by Mastercard and Visa means that
banks in Brazil will soon have
increased liability for fraud carried out on non-smart cards. Banco Itaú was therefore planning to convert all
customers to smart cards, and it was clear that the existing authorization technology would not scale sufficiently.

In the past, there were a number of performance and

reliability problems linked with network components. By moving the authorization processes into the System z
environment, Banco Itaú has eliminated a whole level of external network connections and significantly reliability
and security. In the bank’s opinion, the System z platform is the most reliable technology it owns, and it therefore
makes sense to move as many cryptographic applications as possible onto the platform.

Speed and Security

Banco Itaú prides itself on using the latest technologies to keep its internal efficiency high and to give customers
fast, easy and secure access to banking services. The development of “smart” credit and debit cards featuring
integrated circuits—known variously as EMV, IC cards or chip-and-pin cards—promised to increase security
against card cloning while reducing operational costs. The new cards were immediately popular with Banco Itaú’s
customers, both for the security aspects and for the increased ease and speed of making payments.

As the bank looked to replace all 12 million customer debit cards with the latest smart cards, it considered whether
its existing authorization solution—running on an external HSM (Host Security Module)—was up to the challenge.

The increased security of the smart cards depends on complex encryption and decryption of data, which requires
considerable processing power and high levels of security. IBM proposed a solution that was fully integrated into
Banco Itaú’s main System z platform and that provides better performance, improved security and greater
reliability.

IBM demonstrated the IBM PCI Cryptographic Coprocessor (PCICC) card on the IBM System z platform, and
provided PCICC cards on loan so that Banco Itaú could test the solution for itself. These PCICC cards were used
during testing in early project phases, and were later replaced by Crypto Express2 cards when the customer moved
to z990s and IBM System z9®s.

In Banco Itaú’s opinion, the IBM Crypto Express2 solution was selected for its high performance and flexibility.
The bank’s strong relationship with IBM also played a part: Banco Itaú was keen to build on its use of the
mainframe, and the loaned feature allowed the bank to assure that the solution would have the expected benefits.
Finally, the IBM specialist on-site support for the new security solution gave Banco Itaú great confidence.

A smarter solution

All smart cards used by Banco Itaú’s customers are managed using the new Crypto Express2 solution, while the
previous generation of cards will continue to be managed on the old solution until they are replaced. The bank
expects to complete the conversion to smart cards before the end of 2009.

The encryption keys that secure the smart cards are generated and stored on the Crypto Express2 cards, which
enable the bank to authorize or block transactions rapidly. The solution runs alongside core banking software on
the same physical System z platform, minimizing network traffic and keeping secure data away from potentially
insecure communication channels.

Banco Itaú felt that an integrated system—with encryption running along side core systems on the mainframe—
would both enable enhanced security and increase productivity by creating a more streamlined solution. The
solution does not depend on any external devices, so all traffic stays within the mainframe. The bank feels that this
offers a higher level of security, as well as reducing the overall complexity of the solution. The solution is also
helping Banco Itaú address compliance requirements.

Banco Itaú adds that IBM’s support was instrumental in the successful implementation of the new solution.

Safe, simple and scalable

The IBM Crypto Express2 solution for System z has met all of Banco Itaú’s expectations in terms of performance,
system simplification, reliability and availability. It also offers considerable scope for expansion and is expected to
comfortably support all 12 million smart cards when the rollout is complete.

By replacing a stand-alone proprietary solution, the Crypto Express2 card has reduced maintenance and
operational costs for Banco Itaú and simplified its network architecture. The IBM solution has also eliminated a
potential external point of failure, moving authentication onto the highly reliable mainframe platform.

Banco Itaú concludes that it sees the IBM solution as a reliable, integrated security system that helps the bank
reduce its risk and offer better protection against fraud to its customers. The new smart cards have helped to give
its customers more confidence in the security of the bank’s transactions, and the System z platform plays an
important part in enabling Banco Itaú to offer this benefit to its customers.

Products and services used

IBM products and services that were used in this case study.

Hardware:
System z, System z9, System z: System z9 Enterprise Class (z9 EC), System z: zSeries 990 (z990)

Operating system:
z/OS and OS/390

Legal Information

© Copyright IBM Corporation 2007 IBM Systems and Technology Group Route 100 Somers, NY 10589 U.S.A. Produced in the United
States December 2007 All Rights Reserved IBM, the IBM logo, System z and System z9 are trademarks or registered trademarks of
International Business Machines Corporation in the United States, other countries, or both. Other company, product or service names may be
trademarks, or service marks of others. References in this publication to IBM products, programs or services do not imply that IBM intends
to make these available in all countries in which IBM operates. Any reference to an IBM product, program or service is not intended to
imply that only IBM’s product, program or service may be used. Any functionally equivalent product, program or service may be used
instead. All customer examples cited represent how some customers have used IBM products and the results they may have achieved. Actual
environmental costs and performance characteristics will vary depending on individual customer configurations and conditions. IBM
hardware products are manufactured from new parts, or new and used parts. In some cases, the hardware product may not be new and may
have been previously installed. Regardless, IBM warranty terms apply. This publication is for general guidance only. Photographs may show
design models. © Copyright IBM Corp. 2007 All Rights Reserved.