Risk
12/19/2012
07:16 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Voltage Secure Stateless Tokenization Advances Data Security For Enterprises, Merchants, And Payment Processors

Voltage SST technology is offered as part of the Voltage SecureData Enterprise data security platform

Cupertino, California – December 18, 2012 – Voltage Security®, the world leader in data-centric encryption and key management, today announced the general availability of Voltage Secure Stateless Tokenization™ (SST) technology, an advanced, patent-pending data security solution that provides enterprises, merchants and payment processors with a new approach to help assure protection for payment card data, with significant Payment Card Industry Data Security Standard (PCI DSS) audit scope reduction. Voltage SST technology is offered as part of the Voltage SecureData™ Enterprise data security platform that unites market-leading encryption, tokenization, data masking and key management to protect sensitive corporate information in a single comprehensive solution. Voltage SST technology is deployed and in use with customers leading in payment card processing, retail, financial services and airline industries.

Tokenization, which is used as a way of replacing sensitive data like credit card numbers with non-sensitive substitute values, is one of the data protection and audit scope reduction methods recommended by the PCI DSS. Enterprise users, merchants and processors, however, are facing new and mounting compliance costs and complexities as they discover that conventional, first-generation tokenization solutions aren’t able to support business evolution and growth.

Voltage SST technology solves this problem by eliminating the need for a token database, which has been a central element in tokenization solutions. It also removes the need to store sensitive data. The end result is that it substantially decreases PCI DSS compliance costs and complexities, and dramatically reduces the number of applications and systems that would be considered “in-scope” for compliance assessments. This approach can help companies free substantial IT and compliance budget for other spending priorities.

By eliminating token databases and the need to store sensitive cardholder data, the Voltage SST solution also reduces risk of breach. “The SST method is truly a paradigm shift in PAN tokenization,” says Kennet Westby, president of Coalfire, Inc., a leading independent IT Governance, Risk and Compliance firm. “Memory access is many thousands of times faster than disk access. By removing the database and practically eliminating disk I/O, performance is increased dramatically over conventional tokenization solutions. Typically, performance and security move in opposite directions, but not in this case. The overall security of the tokenization process is actually enhanced.”

Voltage SST technology is based upon published and proven academic research and standards, and validated by independent experts. In addition, the solution has been validated by a top third-party Quality Security Assessor (QSA) with a published report on the assessment.

“Secure Stateless Tokenization from Voltage is significantly reducing our PCI compliance scope and making our IT operations much easier to manage,” said Alex Belgard, CISSP, information security engineer, Crutchfield Corporation. “For example, within our network of several hundred servers, we anticipate scope reduction of more than 90 percent.”

Belgard continued: “The deciding factor was the industry assurance that Voltage SST data security is a sound, proven solution; that’s where the published security proofs and third party validation made a decisive difference. And then, once the final decision was made, configuring the SST solution for our production environment was very simple and straightforward, taking less than a day.”

For transaction processors (including payment switches, tokenization service providers, and card issuers), Voltage SST technology delivers a secure, high-performance solution that meets carrier- and payment processor-grade high availability requirements. In addition, the SST technology provides 100% data consistency, and scales linearly so that processors can generate hundreds of millions of tokens to represent card numbers for internal use or to provide tokenization services to merchants.

With Voltage SST technology there are no software prerequisites. The solution works with virtually all languages and platforms, easily integrating into existing IT environments, including mainframe and mid-range.

On the scalability of tokenization solutions and data integrity, Gartner’s Avivah Litan advises: “Enterprises with large-scale or decentralized operations will want to choose vendors that can properly support their operations. Not all vendors…are equal when it comes to their ability to scale. For example, some can easily support small one-site operations with one merchant account, but cannot support national chain stores with multiple merchant accounts. Similarly some can support tokenization software for a small localized application, but cannot support a distributed global environment with multiple regional applications, and ensure that the same payment card number always generates the same token number. Before choosing a vendor, check at least two or three production customer references with environments similar to yours.” (Gartner Research Note G00237375, 2 August 2012)

For more information about Voltage Secure Stateless Tokenization technology and the Voltage SecureData Enterprise platform, contact the company at info@voltage.com.

About Voltage Security Voltage Security®, Inc. is the leading data protection provider, delivering secure, scalable, and proven data-centric encryption and key management solutions, enabling customers to effectively combat new and emerging security threats. Powered by ground-breaking encryption innovations, including Identity-Based Encryption™ (IBE), Format-Preserving Encryption™ (FPE), and Page-Integrated Encryption™ (PIE), our powerful data protection solutions allow any company to seamlessly secure all types of sensitive corporate and customer information, wherever it resides, while efficiently meeting regulatory compliance and privacy requirements. For more information, please visit www.voltage.com.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, January 2015
To find and fix exploits aimed directly at your business, stop waiting for alerts and become a proactive hunter.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3580
Published: 2014-12-18
The mod_dav_svn Apache HTTPD server module in Apache Subversion 1.x before 1.7.19 and 1.8.x before 1.8.11 allows remote attackers to cause a denial of service (NULL pointer dereference and server crash) via a REPORT request for a resource that does not exist.

CVE-2014-6076
Published: 2014-12-18
IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 allow remote attackers to conduct clickjacking attacks via a crafted web site.

CVE-2014-6077
Published: 2014-12-18
Cross-site request forgery (CSRF) vulnerability in IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 allows remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences.

CVE-2014-6078
Published: 2014-12-18
IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 do not have a lockout period after invalid login attempts, which makes it easier for remote attackers to obtain admin access via a brute-force attack.

CVE-2014-6080
Published: 2014-12-18
SQL injection vulnerability in IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.