The Problem
Securing credit card data in business systems can be costly and complex. And when you have multiple systems that use the credit card information, it becomes more complex. While some systems like SAP allow you to encrypt the data, if procedures are not followed, there can be glitches that expose the data (see previous articles for examples). And very few systems (including SAP) have an elegant standard system to track who accessed the data over a period of time.
A breach in security that exposed the payment card information can be extremely expensive as discussed before. And there is a very real possibility of people losing their jobs as a result of this negligence.
A Possible Solution
One solution I have seen is not to store credit card data at all or only store it temporarily. This is not ideal and can only work in certain industries. Even though the data is encrypted, all credit card data is purged from the system that is older than say 30 days. Not a great customer experience if the customer requests that you simply use the credit card they used on the last transaction. As your system is not designed for this, this is where credit card information suddenly gets written down and stored in desk drawers, simply to provide good customer service. That is just asking for trouble.
But what if we could use this idea of not storing the payment card data to achieve what we want?
A New Paymetric Solution
In August 2007, Paymetric announced a new product called XiSecure. XiSecure comes in 2 flavors: an Onsite Server or an On Demand SAAS solution.
Basically it is a tokenization server. It removes the credit card data from the business systems and replaces them with a 25 digit token.
A simple analogy could be a spreadsheet with 2 columns. In 1 column, we have all the credit card numbers and in the next column we have a 25 digit number or token. There is a 1:1 relationship between the credit card # and the token. While the token represents the credit card, if you only have the token, you cannot do anything with it.
This spreadsheet represents that database in XiSecure.
How does it work?
- It removes all credit card numbers stored in your business applications – such as SAP – and places them in a highly secure, centralized system that can be protected and monitored utilizing robust encryption technology.
- It replaces the stored credit card numbers in enterprise applications with encryption tokens. These are unique tokens that reference the credit card number.
- Should the business application experience a security breach, the token would have no value. This adds a new layer of protection against theft and misuse of credit card data.
- It provides key management and key rotation capabilities outside of enterprise applications – Traditionally a pain.
-
It provides comprehensive access logging.
-
It provides comprehensive monitoring of decryption requests
Advantages
- This solution makes PCI compliance much easier. Particularly if you use XiSecure On Demand solution.
- As there is only a token in all your business systems, it is not necessary to encrypt the business data.
- If you use an on demand system, (such as XiSecure On Demand), you can focus on your core business and allow a 3rd party to focus on what they do best, ensure the security of your data.
Conclusion
Credit Card Tokenization can provide a simple solution to shield you from costly credit card data security breaches. I believe that the Paymetric XiSecure solution appears to be a viable solution that you should investigate in your business.
To be clear, I have not implemented the solution. However, I have worked with Paymetric’s XiPay solution and I was very impressed. As such, I suspect that this will be a robust and solid product as well.
Feel free to add Comments and Questions.
The SAPGuy has been implementing SAP in the trenches for the last 16 years. Feel free to contact me to discuss any challenging consulting needs.
