Tokenization, which is used as a way of replacing sensitive data like credit card numbers with non-sensitive substitute values, is one of the data protection and audit scope reduction methods recommended by the PCI DSS. Enterprise users, merchants and processors, however, are facing new and mounting compliance costs and complexities as they discover that conventional, first-generation tokenization solutions aren’t able to support business evolution and growth.
Voltage SST technology solves this problem by eliminating the need for a token database, which has been a central element in tokenization solutions. It also removes the need to store sensitive data. The end result is that it substantially decreases PCI DSS compliance costs and complexities, and dramatically reduces the number of applications and systems that would be considered “in-scope” for compliance assessments. This approach can help companies free substantial IT and compliance budget for other spending priorities.
By eliminating token databases and the need to store sensitive cardholder data, the Voltage SST solution also reduces risk of breach. “The SST method is truly a paradigm shift in PAN tokenization,” says Kennet Westby, president of Coalfire, Inc., a leading independent IT Governance, Risk and Compliance firm. “Memory access is many thousands of times faster than disk access. By removing the database and practically eliminating disk I/O, performance is increased dramatically over conventional tokenization solutions. Typically, performance and security move in opposite directions, but not in this case. The overall security of the tokenization process is actually enhanced.”
Voltage SST technology is based upon published and proven academic research and standards, and validated by independent experts. In addition, the solution has been validated by a top third-party Quality Security Assessor (QSA) with a published report on the assessment.
“Secure Stateless Tokenization from Voltage is significantly reducing our PCI compliance scope and making our IT operations much easier to manage,” said Alex Belgard, CISSP, information security engineer, Crutchfield Corporation. “For example, within our network of several hundred servers, we anticipate scope reduction of more than 90 percent.”
Belgard continued: “The deciding factor was the industry assurance that Voltage SST data security is a sound, proven solution; that’s where the published security proofs and third party validation made a decisive difference. And then, once the final decision was made, configuring the SST solution for our production environment was very simple and straightforward, taking less than a day.”
For transaction processors (including payment switches, tokenization service providers, and card issuers), Voltage SST technology delivers a secure, high-performance solution that meets carrier- and payment processor-grade high availability requirements. In addition, the SST technology provides 100% data consistency, and scales linearly so that processors can generate hundreds of millions of tokens to represent card numbers for internal use or to provide tokenization services to merchants.
With Voltage SST technology there are no software prerequisites. The solution works with virtually all languages and platforms, easily integrating into existing IT environments, including mainframe and mid-range.
On the scalability of tokenization solutions and data integrity, Gartner’s Avivah Litan advises: “Enterprises with large-scale or decentralized operations will want to choose vendors that can properly support their operations. Not all vendors…are equal when it comes to their ability to scale. For example, some can easily support small one-site operations with one merchant account, but cannot support national chain stores with multiple merchant accounts. Similarly some can support tokenization software for a small localized application, but cannot support a distributed global environment with multiple regional applications, and ensure that the same payment card number always generates the same token number. Before choosing a vendor, check at least two or three production customer references with environments similar to yours.” (Gartner Research Note G00237375, 2 August 2012)
For more information about Voltage Secure Stateless Tokenization technology and the Voltage SecureData Enterprise platform, contact the company at [email protected]
About Voltage Security Voltage Security®, Inc. is the leading data protection provider, delivering secure, scalable, and proven data-centric encryption and key management solutions, enabling customers to effectively combat new and emerging security threats. Powered by ground-breaking encryption innovations, including Identity-Based Encryption™ (IBE), Format-Preserving Encryption™ (FPE), and Page-Integrated Encryption™ (PIE), our powerful data protection solutions allow any company to seamlessly secure all types of sensitive corporate and customer information, wherever it resides, while efficiently meeting regulatory compliance and privacy requirements. For more information, please visit www.voltage.com.