More PCI encryption, tokenization options emerge for compliance
The use of tokens to mask sensitive data is taking hold in the payment industry, with merchants now having the option to use third-party service providers or install their own tokenization server to protect credit card data.
The market for a combined tokenization and encryption package has been simmering, buoyed by merchants trying to find ways to simplify the payment process and meet PCI encryption requirements. The latest guidance from the PCI Security Standards Council suggests that the market for tokenization and point-to-point encryption for PCI compliance is still in its infancy.
"I think it will be a little time before we know whether the current batch of solutions can address all the potential problems," said Ramon Krikken, an analyst at Stamford, Conn.-based Gartner Inc. "The Wal-Marts and Targets of the world, or even large ecommerce retailers, are the ones that may be hesitant to jump in right now."
Krikken said vendors are slowly working toward creating standards so merchants don't get locked into a single vendor. System integration issues also need to be ironed out, Krikken said. Not all software packages can integrate with various databases used for data warehousing, analytical systems and point-of-sale applications. The PCI council is also working on tokenization guidance documents and validation standards so qualified security assessors can evaluate tokenization and encryption systems for compliance with PCI DSS.
Gary Palgon, leader of the PCI SSC Tokenization Working Group and vice president of product management at Atlanta-based tokenization vendor nuBridges Inc., said the push for standards is beginning with PCI DSS, but other requirements for a tokenization standard are needed to address other types of data. For example, many merchants use a 16-digit token when masking credit card data to ensure analytical systems function properly, but a company using tokens for personally identifiable information, such as salary data, may not need that 1:1 relationship, Palgon said.
"We've reached out to our competitors and said we need to be a little more aggressive on standards from a tokenization standpoint," he said. "There will be areas in which we will compete and there will be areas which are commoditized."
RSA is the latest vendor to offer a software package that combines encryption and tokenization capabilities. The security division of EMC Corp. released the Data Protection Manager tool this week. The tool can eliminate credit card data in payment and analytical systems by replacing them with a token. It can also be used in the medical field or other industries that deal with sensitive data.
RSA isn't the only encryption vendor offering off-the-shelf tokenization/encryption software. Protegrity Corp. and Voltage Security Inc. offer format-preserving encryption, something RSA does not. Format-preserving encryption can keep the same format of the unencrypted data, such as a credit card number string. RSA said its server enables companies to keep part of the format (several digits of a customer's credit card number). nuBridges partnered with PGP Corp., now part of Symantec, to offer encryption integration.
"You shrink the scope to applications that really need card numbers plus your tokenization server," Krikken said. "The gain with solutions like this is that you'll have the entire infrastructure under your control."
RSA Data Protection Manager is a server-side management tool and token database. It includes an interface for setup and management of the technology. The console is used to manage keys and tokens, enabling IT to set key rotation policies -- monthly or annually -- for different parts of the infrastructure. "In addition, the same server is used to manage the application environment as well as the back-end disk and storage encryption, so customers avoid the overhead of key management silos," RSA said in a statement.
RSA said the Data Protection Manager targets larger merchants who don't want to use a third-party provider for tokenization services. DPM does not require a professional services team to implement, but RSA said it frequently gets requests to tune the DPM server for performance. "A hardware appliance is also available for enterprise key management use cases, which makes for easier deployment with customer resources," RSA said.
RSA also offers a point-to-point encryption and tokenization service with payment processor First Data Corp., an option that may be popular with small and midsized merchants attempting to reduce the scope of PCI DSS by moving all payment data out of company systems. RSA has a similar arrangement with San Jose, Calif-based point-of-sale systems vendor, VeriFone Systems Inc., incorporating tokenization and encryption into VeriFone's secure payment systems software.