Risk
12/19/2012
07:16 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Voltage Secure Stateless Tokenization Advances Data Security For Enterprises, Merchants, And Payment Processors

Voltage SST technology is offered as part of the Voltage SecureData Enterprise data security platform

Cupertino, California – December 18, 2012 – Voltage Security®, the world leader in data-centric encryption and key management, today announced the general availability of Voltage Secure Stateless Tokenization™ (SST) technology, an advanced, patent-pending data security solution that provides enterprises, merchants and payment processors with a new approach to help assure protection for payment card data, with significant Payment Card Industry Data Security Standard (PCI DSS) audit scope reduction. Voltage SST technology is offered as part of the Voltage SecureData™ Enterprise data security platform that unites market-leading encryption, tokenization, data masking and key management to protect sensitive corporate information in a single comprehensive solution. Voltage SST technology is deployed and in use with customers leading in payment card processing, retail, financial services and airline industries.

Tokenization, which is used as a way of replacing sensitive data like credit card numbers with non-sensitive substitute values, is one of the data protection and audit scope reduction methods recommended by the PCI DSS. Enterprise users, merchants and processors, however, are facing new and mounting compliance costs and complexities as they discover that conventional, first-generation tokenization solutions aren’t able to support business evolution and growth.

Voltage SST technology solves this problem by eliminating the need for a token database, which has been a central element in tokenization solutions. It also removes the need to store sensitive data. The end result is that it substantially decreases PCI DSS compliance costs and complexities, and dramatically reduces the number of applications and systems that would be considered “in-scope” for compliance assessments. This approach can help companies free substantial IT and compliance budget for other spending priorities.

By eliminating token databases and the need to store sensitive cardholder data, the Voltage SST solution also reduces risk of breach. “The SST method is truly a paradigm shift in PAN tokenization,” says Kennet Westby, president of Coalfire, Inc., a leading independent IT Governance, Risk and Compliance firm. “Memory access is many thousands of times faster than disk access. By removing the database and practically eliminating disk I/O, performance is increased dramatically over conventional tokenization solutions. Typically, performance and security move in opposite directions, but not in this case. The overall security of the tokenization process is actually enhanced.”

Voltage SST technology is based upon published and proven academic research and standards, and validated by independent experts. In addition, the solution has been validated by a top third-party Quality Security Assessor (QSA) with a published report on the assessment.

“Secure Stateless Tokenization from Voltage is significantly reducing our PCI compliance scope and making our IT operations much easier to manage,” said Alex Belgard, CISSP, information security engineer, Crutchfield Corporation. “For example, within our network of several hundred servers, we anticipate scope reduction of more than 90 percent.”

Belgard continued: “The deciding factor was the industry assurance that Voltage SST data security is a sound, proven solution; that’s where the published security proofs and third party validation made a decisive difference. And then, once the final decision was made, configuring the SST solution for our production environment was very simple and straightforward, taking less than a day.”

For transaction processors (including payment switches, tokenization service providers, and card issuers), Voltage SST technology delivers a secure, high-performance solution that meets carrier- and payment processor-grade high availability requirements. In addition, the SST technology provides 100% data consistency, and scales linearly so that processors can generate hundreds of millions of tokens to represent card numbers for internal use or to provide tokenization services to merchants.

With Voltage SST technology there are no software prerequisites. The solution works with virtually all languages and platforms, easily integrating into existing IT environments, including mainframe and mid-range.

On the scalability of tokenization solutions and data integrity, Gartner’s Avivah Litan advises: “Enterprises with large-scale or decentralized operations will want to choose vendors that can properly support their operations. Not all vendors…are equal when it comes to their ability to scale. For example, some can easily support small one-site operations with one merchant account, but cannot support national chain stores with multiple merchant accounts. Similarly some can support tokenization software for a small localized application, but cannot support a distributed global environment with multiple regional applications, and ensure that the same payment card number always generates the same token number. Before choosing a vendor, check at least two or three production customer references with environments similar to yours.” (Gartner Research Note G00237375, 2 August 2012)

For more information about Voltage Secure Stateless Tokenization technology and the Voltage SecureData Enterprise platform, contact the company at info@voltage.com.

About Voltage Security Voltage Security®, Inc. is the leading data protection provider, delivering secure, scalable, and proven data-centric encryption and key management solutions, enabling customers to effectively combat new and emerging security threats. Powered by ground-breaking encryption innovations, including Identity-Based Encryption™ (IBE), Format-Preserving Encryption™ (FPE), and Page-Integrated Encryption™ (PIE), our powerful data protection solutions allow any company to seamlessly secure all types of sensitive corporate and customer information, wherever it resides, while efficiently meeting regulatory compliance and privacy requirements. For more information, please visit www.voltage.com.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8142
Published: 2014-12-20
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys w...

CVE-2013-4440
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 generates weak non-tty passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.

CVE-2013-4442
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, which makes it easier for context-dependent attackers to guess the numbers.

CVE-2013-7401
Published: 2014-12-19
The parse_request function in request.c in c-icap 0.2.x allows remote attackers to cause a denial of service (crash) via a URI without a " " or "?" character in an ICAP request, as demonstrated by use of the OPTIONS method.

CVE-2014-2026
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the search functionality in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to inject arbitrary web script or HTML via the request parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.