Summer 2009 – Online Insights: Data Security

Tokenization Gains Traction

By Gary Palgon

Protecting confidential customer information from theft and accidental loss is a critical business challenge for retailers, whether you sell your products in stores, online, via mail order, from a call center, or a combination thereof. Wherever payment card information is collected and stored, it is at risk. This applies equally to personally identifiable information (PII), whether it is customer loyalty information or employee data. No one in this industry needs to be reminded of the many high-profile, reputation-damaging and costly data breaches that retailers have suffered in just the past few years.

We’ve seen state breach notification laws and international privacy laws enacted, as well as industry mandates such as the Payment Card Industry’s Data Security Standard (PCI DSS). Most large retailers and many smaller ones have adopted some form of data encryption to protect the payment card numbers entrusted to them.

While there is no question that data encryption—when combined with data security best practices—is effective for protecting sensitive data and for complying with PCI DSS, the encrypted data remains in the applications and databases. Any system that contains this encrypted data is a point of risk and, therefore, considered “in scope” for PCI DSS compliance and annual audits. Moreover, as retailers seek security for more diverse types of confidential information such as social security numbers for employees, commercial driver’s license numbers for company drivers, as well as passwords and other sensitive data, data encryption becomes more complex and resource intensive.

Another challenge is that encrypted data takes up more space than unencrypted data. Many forms of PII contain many more characters than a 16-digit credit card number—all of which can pose a “square peg into a round hole” storage problem with consequences that ripple through the business applications that use the data. Retailers must often contract for costly modifications to existing applications and databases.

To reduce the points of risk as well as the scope of PCI DSS audits and to provide another level of security, a new data security model—tokenization—is gaining traction with retailers.

WHAT IS TOKENIZATION?
Tokenization is an alternative data protection architecture that is ideal for some retailers’ requirements. It reduces the number of points where sensitive data is stored within an enterprise, making it easier to manage and more secure. The newest form creates a token—or surrogate value—that represents and fits precisely in place of the original data (instead of the larger amount of storage required by encrypted data). Additionally, to maintain some of the business context of the original value, certain portions of the credit card can be retained within the token. The encrypted data the token represents is then locked in a central data vault and protected by encryption keys.

Because tokens are not mathematically derived from the original data, they are arguably safer than encrypted values. A token can be passed around the network between applications, databases and business processes safely, all while leaving the encrypted data it represents securely stored in a central repository. Authorized applications that need access to encrypted data can only retrieve it using a token issued from a token server, providing an extra layer of protection and preserving storage space.

One large retailer recently performed an internal audit and discovered credit card information stored in more than 200 places. Even with a strong encryption and key management solution and excellent internal procedures, this was unmanageable and an unacceptable level of risk. The company first deleted credit card information from places where it wasn’t truly needed. The next step was to reduce the number of instances of the information to four encrypted “data silos” and substitute tokens for the credit card information in the remaining locations. This created a highly manageable architecture and reduced the risk of breach dramatically.

DATA ANALYSIS: BUSINESS AS USUAL
Referential integrity can introduce problems where various applications (e.g., loss prevention, merchandise returns, data warehouses) and databases use the sensitive data values as foreign keys for joining tables to run queries and perform data analysis. When the sensitive fields are encrypted, they often impede these operations since, by definition, encryption algorithms generate random encrypted values. While there are methods to remove the “randomization,” there are risks involved. A consistent, format-sensitive token eliminates this issue. It also reduces the number of employees who can access sensitive data to minimize internal data theft risk. Under the tokenization model, only highly authorized employees have access to encrypted customer information—and even fewer have access to the unencrypted data.

REDUCING AUDIT SCOPE
When you undergo a PCI DSS audit, all of the systems, applications and processes that maintain or have access to credit card information are considered “in scope.” However, if you substitute tokens for the credit card information and the systems, applications and processes never require access to the token’s underlying value, they are taken “out of scope” and do not need to comply with the PCI DSS requirements.

IS TOKENIZATION FOR YOU?
Tokenization, for all its benefits, is not a silver bullet for every retailer. Is it right for your company? For many, the best solution is a hybrid approach: a combination of localized encryption, centralized tokenization and data security best practices. Tokenization is worth considering if your company:

• Collects and stores large volumes of structured data (e.g., credit card numbers and PII such as social security numbers, customer buying habit information, salary records, etc.).
• Has a fully interconnected IT environment, whereby systems with confidential information are connected to a central application and data vault. Centralized tokenization doesn’t work in a disconnected environment; localized encryption or “in-place tokenization” works well in those systems.
• Wants to reduce points of risk and make compliance with PCI DSS easier and less costly. Tokenization reduces the points of risk by removing encrypted data from applications and databases throughout the enterprise, thereby taking those systems out of scope for compliance and audits.
• Wants to avoid costly modifications to applications and databases to store encrypted data.
• Conducts trans-border business. Retailers who do business in Europe must obey European privacy laws, which prohibit certain employee and consumer information such as social insurance numbers from being electronically transferred across international borders without express written consent. Because tokens can be transmitted in place of confidential information and referential integrity is preserved, application development, testing and data analysis can be conducted on information collected in other countries while complying with international law.

Tokenization reduces the scope both of risk and data storage requirements, while maintaining referential integrity and streamlining the auditing process for regulatory compliance. The higher the volume of data and the more types of sensitive data you collect, the more valuable tokenization becomes. Fortunately, incorporating tokenization requires little more than adding a token server and central data vault. For retailers with a combination of disconnected and interconnected data entry systems, incorporating local encryption and tokenization with centralized encryption key management will provide the best protection.

Gary Palgon is vice president of product management for data protection software vendor nuBridges, Inc. He can be reached at gpalgon@ nubridges.com.