More PCI encryption, tokenization options emerge for compliance

The use of tokens to mask sensitive data is taking hold in the payment industry, with merchants now having the option to use third-party service providers or install their own tokenization server to protect credit card data.

The market for a combined tokenization and encryption package has been simmering, buoyed by merchants trying to find ways to simplify the payment process and meet PCI encryption requirements. The latest guidance from the PCI Security Standards Council suggests that the market for tokenization and point-to-point encryption for PCI compliance is still in its infancy.

"I think it will be a little time before we know whether the current batch of solutions can address all the potential problems," said Ramon Krikken, an analyst at Stamford, Conn.-based Gartner Inc. "The Wal-Marts and Targets of the world, or even large ecommerce retailers, are the ones that may be hesitant to jump in right now."

Krikken said vendors are slowly working toward creating standards so merchants don't get locked into a single vendor. System integration issues also need to be ironed out, Krikken said. Not all software packages can integrate with various databases used for data warehousing, analytical systems and point-of-sale applications. The PCI council is also working on tokenization guidance documents and validation standards so qualified security assessors can evaluate tokenization and encryption systems for compliance with PCI DSS.

Gary Palgon, leader of the PCI SSC Tokenization Working Group and vice president of product management at Atlanta-based tokenization vendor nuBridges Inc., said the push for standards is beginning with PCI DSS, but other requirements for a tokenization standard are needed to address other types of data. For example, many merchants use a 16-digit token when masking credit card data to ensure analytical systems function properly, but a company using tokens for personally identifiable information, such as salary data, may not need that 1:1 relationship, Palgon said.

"We've reached out to our competitors and said we need to be a little more aggressive on standards from a tokenization standpoint," he said. "There will be areas in which we will compete and there will be areas which are commoditized."

RSA is the latest vendor to offer a software package that combines encryption and tokenization capabilities. The security division of EMC Corp. released the Data Protection Manager tool this week. The tool can eliminate credit card data in payment and analytical systems by replacing them with a token. It can also be used in the medical field or other industries that deal with sensitive data.

RSA isn't the only encryption vendor offering off-the-shelf tokenization/encryption software. Protegrity Corp. and Voltage Security Inc. offer format-preserving encryption, something RSA does not. Format-preserving encryption can keep the same format of the unencrypted data, such as a credit card number string. RSA said its server enables companies to keep part of the format (several digits of a customer's credit card number). nuBridges partnered with PGP Corp., now part of Symantec, to offer encryption integration.

"You shrink the scope to applications that really need card numbers plus your tokenization server," Krikken said. "The gain with solutions like this is that you'll have the entire infrastructure under your control."

RSA Data Protection Manager is a server-side management tool and token database. It includes an interface for setup and management of the technology. The console is used to manage keys and tokens, enabling IT to set key rotation policies -- monthly or annually -- for different parts of the infrastructure. "In addition, the same server is used to manage the application environment as well as the back-end disk and storage encryption, so customers avoid the overhead of key management silos," RSA said in a statement.

RSA said the Data Protection Manager targets larger merchants who don't want to use a third-party provider for tokenization services. DPM does not require a professional services team to implement, but RSA said it frequently gets requests to tune the DPM server for performance. "A hardware appliance is also available for enterprise key management use cases, which makes for easier deployment with customer resources," RSA said.

RSA also offers a point-to-point encryption and tokenization service with payment processor First Data Corp., an option that may be popular with small and midsized merchants attempting to reduce the scope of PCI DSS by moving all payment data out of company systems. RSA has a similar arrangement with San Jose, Calif-based point-of-sale systems vendor, VeriFone Systems Inc., incorporating tokenization and encryption into VeriFone's secure payment systems software.

View the original article here

More PCI encryption, tokenization options emerge for compliance

The use of tokens to mask sensitive data is taking hold in the payment industry, with merchants now having the option to use third-party service providers or install their own tokenization server to protect credit card data.

The market for a combined tokenization and encryption package has been simmering, buoyed by merchants trying to find ways to simplify the payment process and meet PCI encryption requirements. The latest guidance from the PCI Security Standards Council suggests that the market for tokenization and point-to-point encryption for PCI compliance is still in its infancy.

"I think it will be a little time before we know whether the current batch of solutions can address all the potential problems," said Ramon Krikken, an analyst at Stamford, Conn.-based Gartner Inc. "The Wal-Marts and Targets of the world, or even large ecommerce retailers, are the ones that may be hesitant to jump in right now."

Krikken said vendors are slowly working toward creating standards so merchants don't get locked into a single vendor. System integration issues also need to be ironed out, Krikken said. Not all software packages can integrate with various databases used for data warehousing, analytical systems and point-of-sale applications. The PCI council is also working on tokenization guidance documents and validation standards so qualified security assessors can evaluate tokenization and encryption systems for compliance with PCI DSS.

Gary Palgon, leader of the PCI SSC Tokenization Working Group and vice president of product management at Atlanta-based tokenization vendor nuBridges Inc., said the push for standards is beginning with PCI DSS, but other requirements for a tokenization standard are needed to address other types of data. For example, many merchants use a 16-digit token when masking credit card data to ensure analytical systems function properly, but a company using tokens for personally identifiable information, such as salary data, may not need that 1:1 relationship, Palgon said.

"We've reached out to our competitors and said we need to be a little more aggressive on standards from a tokenization standpoint," he said. "There will be areas in which we will compete and there will be areas which are commoditized."

RSA is the latest vendor to offer a software package that combines encryption and tokenization capabilities. The security division of EMC Corp. released the Data Protection Manager tool this week. The tool can eliminate credit card data in payment and analytical systems by replacing them with a token. It can also be used in the medical field or other industries that deal with sensitive data.

RSA isn't the only encryption vendor offering off-the-shelf tokenization/encryption software. Protegrity Corp. and Voltage Security Inc. offer format-preserving encryption, something RSA does not. Format-preserving encryption can keep the same format of the unencrypted data, such as a credit card number string. RSA said its server enables companies to keep part of the format (several digits of a customer's credit card number). nuBridges partnered with PGP Corp., now part of Symantec, to offer encryption integration.

"You shrink the scope to applications that really need card numbers plus your tokenization server," Krikken said. "The gain with solutions like this is that you'll have the entire infrastructure under your control."

RSA Data Protection Manager is a server-side management tool and token database. It includes an interface for setup and management of the technology. The console is used to manage keys and tokens, enabling IT to set key rotation policies -- monthly or annually -- for different parts of the infrastructure. "In addition, the same server is used to manage the application environment as well as the back-end disk and storage encryption, so customers avoid the overhead of key management silos," RSA said in a statement.

RSA said the Data Protection Manager targets larger merchants who don't want to use a third-party provider for tokenization services. DPM does not require a professional services team to implement, but RSA said it frequently gets requests to tune the DPM server for performance. "A hardware appliance is also available for enterprise key management use cases, which makes for easier deployment with customer resources," RSA said.

RSA also offers a point-to-point encryption and tokenization service with payment processor First Data Corp., an option that may be popular with small and midsized merchants attempting to reduce the scope of PCI DSS by moving all payment data out of company systems. RSA has a similar arrangement with San Jose, Calif-based point-of-sale systems vendor, VeriFone Systems Inc., incorporating tokenization and encryption into VeriFone's secure payment systems software.

View the original article here

Ensure Your Access Certification Strategy Achieves Your User Access and Compliance Goals

Today, companies are more dependent than ever on computer systems to gather, analyze and process a wide variety of vital IT resources, including sensitive data such as nonpublic personal information.

With access to this data comes the responsibility to ensure that it is kept secure. This means making certain that only authorized personnel have access to it, and that their access is limited to the lowest level of privilege required for them to perform their business function effectively and efficiently.

Implementing a strategy that includes periodic access certification reviews by the business to ensure that only the right people have the right level of access to vital IT assets will reduce the likelihood of a data breach, which can be devastating in terms of costs, such as law suits, regulatory fines and brand damage.

View the original article here

Ensure Your Access Certification Strategy Achieves Your User Access and Compliance Goals

Today, companies are more dependent than ever on computer systems to gather, analyze and process a wide variety of vital IT resources, including sensitive data such as nonpublic personal information.

With access to this data comes the responsibility to ensure that it is kept secure. This means making certain that only authorized personnel have access to it, and that their access is limited to the lowest level of privilege required for them to perform their business function effectively and efficiently.

Implementing a strategy that includes periodic access certification reviews by the business to ensure that only the right people have the right level of access to vital IT assets will reduce the likelihood of a data breach, which can be devastating in terms of costs, such as law suits, regulatory fines and brand damage.

View the original article here

PCI Compliance and Level 4 Merchants

Tags » PCI Compliance  » Comments (0)

According to a new survey conducted by ControlScan and Merchant Warehouse, Level 4 Merchants (small-to-medium sized businesses) are all over the map on PCI awareness and compliance. 91% of the larger Level 4 merchants (over 50 employees) are familiar with PCI DSS, but only 45% of the smaller merchants (1-10 employees) are familiar. eCommerce merchants were more aware of PCI compliance than their brick-and-mortar retail counterparts (60% versus 37%).

View the original article here

PCI Compliance and Level 4 Merchants

Tags » PCI Compliance  » Comments (0)

According to a new survey conducted by ControlScan and Merchant Warehouse, Level 4 Merchants (small-to-medium sized businesses) are all over the map on PCI awareness and compliance. 91% of the larger Level 4 merchants (over 50 employees) are familiar with PCI DSS, but only 45% of the smaller merchants (1-10 employees) are familiar. eCommerce merchants were more aware of PCI compliance than their brick-and-mortar retail counterparts (60% versus 37%).

View the original article here

Four Things Your Server Could Tell You: McAfee Total Protection for Server - Security and Compliance from a Single Solution

TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of   |     

All Rights Reserved, Copyright 2000 - 2010, TechTarget | 

View the original article here

Four Things Your Server Could Tell You: McAfee Total Protection for Server - Security and Compliance from a Single Solution

TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of   |     

All Rights Reserved, Copyright 2000 - 2010, TechTarget | 

View the original article here

A Pragmatic Approach to SIEM: Buy for Compliance, Use for Security

Recent economic troubles might have something to do with the fact that many organizations today seek to establish only the bare minimum level of security. To be more pre­cise, they try to do what they think is the bare minimum. In fact, their belief that security “due diligence” can be reduced to the level prescribed by regulations such as the Payment Card Industry Data Security Standard (PCI DSS) is more common than ever. Unfortunately, the results of this flawed thinking include security breaches and other damag­ing events.

This trend toward establishing the minimum required level of security has affected many security safeguards, including Security Information and Event Management (SIEM) and log management. Most organizations simply deploy these tech­nologies to place a check in the compliance check box. In this paper we will take a look at this disturbing trend and provide useful guidance for maximizing the value of SIEM and log management tools, while focusing on protecting systems and data not on simply checking the compliance check box.

To summarize, SIEM focuses on security while log manage­ment focuses on broad use of log data. More specifically, SIEM tools include correlation and other real-time analysis functionality, which is useful for real-time monitoring. In comparison, log tools often focus on advanced search across all log data. Today, select tools combine select capabilities of SIEM and log management in a single product or product suite. Read on to learn more about SIEM and log management.

View the original article here

A Pragmatic Approach to SIEM: Buy for Compliance, Use for Security

Recent economic troubles might have something to do with the fact that many organizations today seek to establish only the bare minimum level of security. To be more pre­cise, they try to do what they think is the bare minimum. In fact, their belief that security “due diligence” can be reduced to the level prescribed by regulations such as the Payment Card Industry Data Security Standard (PCI DSS) is more common than ever. Unfortunately, the results of this flawed thinking include security breaches and other damag­ing events.

This trend toward establishing the minimum required level of security has affected many security safeguards, including Security Information and Event Management (SIEM) and log management. Most organizations simply deploy these tech­nologies to place a check in the compliance check box. In this paper we will take a look at this disturbing trend and provide useful guidance for maximizing the value of SIEM and log management tools, while focusing on protecting systems and data not on simply checking the compliance check box.

To summarize, SIEM focuses on security while log manage­ment focuses on broad use of log data. More specifically, SIEM tools include correlation and other real-time analysis functionality, which is useful for real-time monitoring. In comparison, log tools often focus on advanced search across all log data. Today, select tools combine select capabilities of SIEM and log management in a single product or product suite. Read on to learn more about SIEM and log management.

View the original article here

eGuide: IT Compliance - Documentation Tips and 10 Tasks You Should Complete

Many IT managers understand the importance of meeting compliance requirements, but maintaining documentation and keeping it up to date can be difficult if you don’t know what auditors look for. This expert e-guide from Search Exchange.com explains how to provide documentation to meet data protection laws and regulations. Find out what auditors look for and which documentation is required. And, learn about ten compliance-related tasks you should complete to ensure optimal internal controls have been established for your email systems.

View the original article here

eGuide: IT Compliance - Documentation Tips and 10 Tasks You Should Complete

Many IT managers understand the importance of meeting compliance requirements, but maintaining documentation and keeping it up to date can be difficult if you don’t know what auditors look for. This expert e-guide from Search Exchange.com explains how to provide documentation to meet data protection laws and regulations. Find out what auditors look for and which documentation is required. And, learn about ten compliance-related tasks you should complete to ensure optimal internal controls have been established for your email systems.

View the original article here

Managing Powerful Users for Regulatory Compliance on the IBM i

When evaluating a system, an auditor looks for “powerful users” and wants to know the following; who are they, what can they do and what have they done? The reason for this concern about these particular users is that 50% of known security incidents come from employees.

This paper will discuss the unique way System i (OS/400) users achieve special authorities and how auditors regard those authorities as threats in the context of COBIT and PCI standards, as well as how to control these profiles.

View the original article here

Managing Powerful Users for Regulatory Compliance on the IBM i

When evaluating a system, an auditor looks for “powerful users” and wants to know the following; who are they, what can they do and what have they done? The reason for this concern about these particular users is that 50% of known security incidents come from employees.

This paper will discuss the unique way System i (OS/400) users achieve special authorities and how auditors regard those authorities as threats in the context of COBIT and PCI standards, as well as how to control these profiles.

View the original article here