This page has moved to a new address.

More PCI encryption, tokenization options emerge for compliance

body { background:#aba; margin:0; padding:20px 10px; text-align:center; font:x-small/1.5em "Trebuchet MS",Verdana,Arial,Sans-serif; color:#333; font-size/* */:/**/small; font-size: /**/small; } /* Page Structure ----------------------------------------------- */ /* The images which help create rounded corners depend on the following widths and measurements. If you want to change these measurements, the images will also need to change. */ @media all { #content { width:740px; margin:0 auto; text-align:left; } #main { width:485px; float:left; background:#fff url("") no-repeat left bottom; margin:15px 0 0; padding:0 0 10px; color:#000; font-size:97%; line-height:1.5em; } #main2 { float:left; width:100%; background:url("") no-repeat left top; padding:10px 0 0; } #main3 { background:url("") repeat-y; padding:0; } #sidebar { width:240px; float:right; margin:15px 0 0; font-size:97%; line-height:1.5em; } } @media handheld { #content { width:90%; } #main { width:100%; float:none; background:#fff; } #main2 { float:none; background:none; } #main3 { background:none; padding:0; } #sidebar { width:100%; float:none; } } /* Links ----------------------------------------------- */ a:link { color:#258; } a:visited { color:#666; } a:hover { color:#c63; } a img { border-width:0; } /* Blog Header ----------------------------------------------- */ @media all { #header { background:#456 url("") no-repeat left top; margin:0 0 0; padding:8px 0 0; color:#fff; } #header div { background:url("") no-repeat left bottom; padding:0 15px 8px; } } @media handheld { #header { background:#456; } #header div { background:none; } } #blog-title { margin:0; padding:10px 30px 5px; font-size:200%; line-height:1.2em; } #blog-title a { text-decoration:none; color:#fff; } #description { margin:0; padding:5px 30px 10px; font-size:94%; line-height:1.5em; } /* Posts ----------------------------------------------- */ .date-header { margin:0 28px 0 43px; font-size:85%; line-height:2em; text-transform:uppercase; letter-spacing:.2em; color:#357; } .post { margin:.3em 0 25px; padding:0 13px; border:1px dotted #bbb; border-width:1px 0; } .post-title { margin:0; font-size:135%; line-height:1.5em; background:url("") no-repeat 10px .5em; display:block; border:1px dotted #bbb; border-width:0 1px 1px; padding:2px 14px 2px 29px; color:#333; } a.title-link, .post-title strong { text-decoration:none; display:block; } a.title-link:hover { background-color:#ded; color:#000; } .post-body { border:1px dotted #bbb; border-width:0 1px 1px; border-bottom-color:#fff; padding:10px 14px 1px 29px; } html>body .post-body { border-bottom-width:0; } .post p { margin:0 0 .75em; } { background:#ded; margin:0; padding:2px 14px 2px 29px; border:1px dotted #bbb; border-width:1px; border-bottom:1px solid #eee; font-size:100%; line-height:1.5em; color:#666; text-align:right; } html>body { border-bottom-color:transparent; } em { display:block; float:left; text-align:left; font-style:normal; } a.comment-link { /* IE5.0/Win doesn't apply padding to inline elements, so we hide these two declarations from it */ background/* */:/**/url("") no-repeat 0 45%; padding-left:14px; } html>body a.comment-link { /* Respecified, for IE5/Mac's benefit */ background:url("") no-repeat 0 45%; padding-left:14px; } .post img { margin:0 0 5px 0; padding:4px; border:1px solid #ccc; } blockquote { margin:.75em 0; border:1px dotted #ccc; border-width:1px 0; padding:5px 15px; color:#666; } .post blockquote p { margin:.5em 0; } /* Comments ----------------------------------------------- */ #comments { margin:-25px 13px 0; border:1px dotted #ccc; border-width:0 1px 1px; padding:20px 0 15px 0; } #comments h4 { margin:0 0 10px; padding:0 14px 2px 29px; border-bottom:1px dotted #ccc; font-size:120%; line-height:1.4em; color:#333; } #comments-block { margin:0 15px 0 9px; } .comment-data { background:url("") no-repeat 2px .3em; margin:.5em 0; padding:0 0 0 20px; color:#666; } .comment-poster { font-weight:bold; } .comment-body { margin:0 0 1.25em; padding:0 0 0 20px; } .comment-body p { margin:0 0 .5em; } .comment-timestamp { margin:0 0 .5em; padding:0 0 .75em 20px; color:#666; } .comment-timestamp a:link { color:#666; } .deleted-comment { font-style:italic; color:gray; } .paging-control-container { float: right; margin: 0px 6px 0px 0px; font-size: 80%; } .unneeded-paging-control { visibility: hidden; } /* Profile ----------------------------------------------- */ @media all { #profile-container { background:#cdc url("") no-repeat left bottom; margin:0 0 15px; padding:0 0 10px; color:#345; } #profile-container h2 { background:url("") no-repeat left top; padding:10px 15px .2em; margin:0; border-width:0; font-size:115%; line-height:1.5em; color:#234; } } @media handheld { #profile-container { background:#cdc; } #profile-container h2 { background:none; } } .profile-datablock { margin:0 15px .5em; border-top:1px dotted #aba; padding-top:8px; } .profile-img {display:inline;} .profile-img img { float:left; margin:0 10px 5px 0; border:4px solid #fff; } .profile-data strong { display:block; } #profile-container p { margin:0 15px .5em; } #profile-container .profile-textblock { clear:left; } #profile-container a { color:#258; } .profile-link a { background:url("") no-repeat 0 .1em; padding-left:15px; font-weight:bold; } ul.profile-datablock { list-style-type:none; } /* Sidebar Boxes ----------------------------------------------- */ @media all { .box { background:#fff url("") no-repeat left top; margin:0 0 15px; padding:10px 0 0; color:#666; } .box2 { background:url("") no-repeat left bottom; padding:0 13px 8px; } } @media handheld { .box { background:#fff; } .box2 { background:none; } } .sidebar-title { margin:0; padding:0 0 .2em; border-bottom:1px dotted #9b9; font-size:115%; line-height:1.5em; color:#333; } .box ul { margin:.5em 0 1.25em; padding:0 0px; list-style:none; } .box ul li { background:url("") no-repeat 2px .25em; margin:0; padding:0 0 3px 16px; margin-bottom:3px; border-bottom:1px dotted #eee; line-height:1.4em; } .box p { margin:0 0 .6em; } /* Footer ----------------------------------------------- */ #footer { clear:both; margin:0; padding:15px 0 0; } @media all { #footer div { background:#456 url("") no-repeat left top; padding:8px 0 0; color:#fff; } #footer div div { background:url("") no-repeat left bottom; padding:0 15px 8px; } } @media handheld { #footer div { background:#456; } #footer div div { background:none; } } #footer hr {display:none;} #footer p {margin:0;} #footer a {color:#fff;} /* Feeds ----------------------------------------------- */ #blogfeeds { } #postfeeds { padding:0 15px 0; }

Friday, November 5, 2010

More PCI encryption, tokenization options emerge for compliance

The use of tokens to mask sensitive data is taking hold in the payment industry, with merchants now having the option to use third-party service providers or install their own tokenization server to protect credit card data.

The market for a combined tokenization and encryption package has been simmering, buoyed by merchants trying to find ways to simplify the payment process and meet PCI encryption requirements. The latest guidance from the PCI Security Standards Council suggests that the market for tokenization and point-to-point encryption for PCI compliance is still in its infancy.

"I think it will be a little time before we know whether the current batch of solutions can address all the potential problems," said Ramon Krikken, an analyst at Stamford, Conn.-based Gartner Inc. "The Wal-Marts and Targets of the world, or even large ecommerce retailers, are the ones that may be hesitant to jump in right now."

Krikken said vendors are slowly working toward creating standards so merchants don't get locked into a single vendor. System integration issues also need to be ironed out, Krikken said. Not all software packages can integrate with various databases used for data warehousing, analytical systems and point-of-sale applications. The PCI council is also working on tokenization guidance documents and validation standards so qualified security assessors can evaluate tokenization and encryption systems for compliance with PCI DSS.

Gary Palgon, leader of the PCI SSC Tokenization Working Group and vice president of product management at Atlanta-based tokenization vendor nuBridges Inc., said the push for standards is beginning with PCI DSS, but other requirements for a tokenization standard are needed to address other types of data. For example, many merchants use a 16-digit token when masking credit card data to ensure analytical systems function properly, but a company using tokens for personally identifiable information, such as salary data, may not need that 1:1 relationship, Palgon said.

"We've reached out to our competitors and said we need to be a little more aggressive on standards from a tokenization standpoint," he said. "There will be areas in which we will compete and there will be areas which are commoditized."

RSA is the latest vendor to offer a software package that combines encryption and tokenization capabilities. The security division of EMC Corp. released the Data Protection Manager tool this week. The tool can eliminate credit card data in payment and analytical systems by replacing them with a token. It can also be used in the medical field or other industries that deal with sensitive data.

RSA isn't the only encryption vendor offering off-the-shelf tokenization/encryption software. Protegrity Corp. and Voltage Security Inc. offer format-preserving encryption, something RSA does not. Format-preserving encryption can keep the same format of the unencrypted data, such as a credit card number string. RSA said its server enables companies to keep part of the format (several digits of a customer's credit card number). nuBridges partnered with PGP Corp., now part of Symantec, to offer encryption integration.

"You shrink the scope to applications that really need card numbers plus your tokenization server," Krikken said. "The gain with solutions like this is that you'll have the entire infrastructure under your control."

RSA Data Protection Manager is a server-side management tool and token database. It includes an interface for setup and management of the technology. The console is used to manage keys and tokens, enabling IT to set key rotation policies -- monthly or annually -- for different parts of the infrastructure. "In addition, the same server is used to manage the application environment as well as the back-end disk and storage encryption, so customers avoid the overhead of key management silos," RSA said in a statement.

RSA said the Data Protection Manager targets larger merchants who don't want to use a third-party provider for tokenization services. DPM does not require a professional services team to implement, but RSA said it frequently gets requests to tune the DPM server for performance. "A hardware appliance is also available for enterprise key management use cases, which makes for easier deployment with customer resources," RSA said.

RSA also offers a point-to-point encryption and tokenization service with payment processor First Data Corp., an option that may be popular with small and midsized merchants attempting to reduce the scope of PCI DSS by moving all payment data out of company systems. RSA has a similar arrangement with San Jose, Calif-based point-of-sale systems vendor, VeriFone Systems Inc., incorporating tokenization and encryption into VeriFone's secure payment systems software.

View the original article here

Labels: , , , , , ,


Post a Comment

Feel Free to Leave Your Comments/Thoughts Below

<< Home