Posts Tagged PCI-DSS

Tokenization: A Powerful Weapon Against Cyber Attack

Posted by on Thursday, 19 April, 2012

Tokenization in the data security world is the process of moving sensitive data from a company network to a separate location or sever, and replacing and referencing that data on the company server with a unique token.

If hackers attempt to access sensitive information like credit card numbers from a server, they’ll instead encounter the token which prevents them from finding the original data without a specific encryption key or knowledge of the tokenization system.

Linoma Software GoAnywhere Managed File Transfer SolutionFor example, say a merchant acquires a credit card number by swiping a customer’s card with a card reader.  If the merchant has implemented tokenization, this card number information is immediately replaced in the merchant’s database by a token number while the actual card number is sent and stored (in encrypted form) at a different location, along with the reference from the token.

Because the actual card number is never stored in the merchant’s front-end system, hackers have a much more difficult time stealing it. Customers can therefore be assured that it is safe to let that merchant use their card information because the actual credit card numbers are not stored in an easily accessible location.

All organizations that capture credit card data are required by the PCI DSS government regulations to secure and protect this data.  Originally, this presented a challenge to the payment industry until Shift4 Corporation presented tokenization solutions at an industry Security Summit in 1995.  The adoption of tokenization became a popular solution to meet the PCI DSS compliance regulations.

>>Check out these white papers discussing PCI DSS compliance issues, and data breach threats

Other industries are beginning to adopt tokenization to protect confidential information such as banking transactions, medical records, criminal records, vehicle driver information, loan applications, stock trading and voter registration.

Finding the most efficient way to implement tokenization is challenging, but the growing threat of cyber attack and the expense of data breach have motivated IT shops to research options in earnest.

A variety of third-party software solutions, such as Linoma Software’s Crypto Complete, deliver tokenization tools as well as additional options for managing encryption keys, audit logs, message alerts; storing tokenized data; automatically assigning token identifiers; and providing a central management platform for the entire tokenization process.

When a greedy hacker in anticipation of scoring a cache of customer credit card data finds instead a series of tokens, companies win another battle in the war against cyber thieves.

Daniel Cheney

Daniel has been the IT Director at a healthcare company for the last 12 years and a longtime beneficiary of GoAnywhere Director and the IBM i platform. He is also a freelance writer for various technical and social media projects.

More Posts - Website

Compliance and Regulations for Sensitive Data Transfers

Posted by on Monday, 10 January, 2011

Secured ComputerHighly sensitive data is frequently exchanged between organizations. For instance, a business will routinely transmit financial information to their bank including payroll direct deposits and ACH payments. These transactions most likely contain sensitive elements like bank account numbers, routing numbers, social security numbers and payment information.

Industry-specific transactions may also contain highly sensitive data. For example, in the health care business, patient records are regularly exchanged between hospitals, doctors and payment providers. In the insurance business, policy information is often transmitted between carriers. This information may contain names, addresses, birth dates, social security numbers and other private information.

Loss of sensitive data can result in great financial expense, lawsuits and public embarrassment for the affected organization. Therefore it is no surprise that industries are setting new regulations and standards to address the security of their data.  For instance:

  • PCI DSS requires that credit card numbers are encrypted while “at rest” and “in motion”.  Failure to do so can result in severe fines and potential loss of your merchant account.
  • HIPAA requires that healthcare records are secured to protect the privacy of patients.
  • State privacy laws require that customers are notified if their personal information may have been lost or stolen. Some states will also assess large fines against organizations if this data is not protected properly.

Organizations should consider compliance requirements and regulations when looking for a Managed File Transfer solution. An effective solution should have a number of encryption methods available to protect sensitive data including SSL, SSH, AES and Open PGP encryption. Audit trails should also be in place to track file transfer activity so you can easily determine what files are being sent, what time they are sent, who the sender and receiver is, and so on. If you are looking for a comprehensive solution be sure to check out our GoAnywhere Managed File Transfer Suite.

Related Blog: PCI DSS v2.0

PCI-DSS 2.0

Posted by on Wednesday, 6 October, 2010

According to a survey of 155 Qualified Security Assessors (QSAs) conducted by the Ponemon Institute, 60 percent of retailers lack the budgets to be fully compliant with the PCI DSS standards. As an example, the annual audit cost for a major retailer can be as high as $225,000.

According to the Ponemon Institute survey, restricting access to card data on a “need-to-know basis” (PCI DSS Requirement #7) is still the most important PCI DSS requirement, but also the most difficult to achieve.

QSAs reported that the three most common business reasons for storing cardholder data are:

  • Handling charge-backs
  • Providing customer service
  • Processing recurring subscriptions

In order to service these customer’s requirements, the credit card data must still be available for the various software applications. These industry processes require merchants to implement methods of protecting cardholders from theft.

Encryption the Best Technology

QSAs find the most significant threats to cardholder data are in merchant networks and databases. They believe firewalls, encryption for data at rest, and encryption for data in motion are the top three most effective technologies for achieving compliance.

Sixty percent of QSAs believe encryption is the best means to protect card data end-to-end. Forty-one percent of QSAs say that controlling access to encryption keys is the most difficult management task their clients face.

Getting a Handle on PCI Issues

So what’s the best way to both satisfy the requirements of PCI and still make secured data transparent to applications?

The strategy QSAs recommend is to lock down the cardholder data with technologies that:

  1. Restrict the access
  2. Encrypt the data
  3. Manage and control the encryption keys

These recommendations point to a need to make encryption and encryption-key access an integral part of the overall information system.

But too many organizations use ad hoc encryption/de-encryption utilities that slow processing, and often leave de-encrypted data in the open. In addition, without any integrated encryption key management process, there is really no security at all.  Unsecured encryption keys, just like data, can be lost, stolen, and misused. Access to those keys should be managed as an integral part of the overall security of the operating system.

The point is that the QSA’s three recommendations go beyond the basic requirements of the PCI standard to actually secure the credit card data at the host – and to ensure that the data isn’t misused when the data is at rest or while being transferred.

Linoma Software’s data encryption suite Crypto Complete successfully addresses these QSA PCI requirements by providing data encryption and key management services that can be integrated seamlessly with IBM i (iSeries) applications.

Building on PCI-DSS V2

Industry security analysts will still complain that PCI-DSS needs to be a real security standard aimed at protecting card holder data, but Version 2.0 doesn’t provide that value.  Consequently, we need to analyze what the QSAs are recommending, and then build on PCI-DSS Version 2.0 to implement the best possible data security for our customers’ credit card data.

Thomas Stockwell

Thomas M. Stockwell is one of Linoma Software's subject matter experts and a top blogger in the industry. He is Principle Analyst at IT Incendiary, with more than 20 years of experience in IT as a Systems Analyst, Engineer, and IS Director.

More Posts - Website

1.800.949.4696  |  sales@linomasoftware.com  |  privacy policy
Copyright ©1994 - 2012 Linoma Software  |  All rights reserved