A new technology keeps sensitive data away from 90% of the retailer’s network.
Web and catalog electronics retailer Crutchfield Corp. this summer began the switch from encrypting customers’ payment card numbers to using a new technology from Voltage Security Inc. The new system is more secure and will save several hundred hours of labor annually in complying with the Payment Card Industry Security Standards, says Crutchfield information security engineer Alex Belgard. PCI rules are designed to protect consumers’ credit and debit card data.
Called Voltage Secure Stateless Tokenization, the technology works by using strings of random numbers or characters, known as tokens, in lieu of 16-digit payment card numbers within Crutchfield’s servers. That way, if a criminal breaks into the retailer’s payments system, he’ll see only those strings of apparent nonsense rather than card numbers. Each Voltage client has access to a lookup table of all possible credit card numbers. When a customer enters her card number during a transaction, the software looks it up in the table and randomly generates a token for it, Voltage says.
Once the first token is generated, the software also tokenizes the entire table of card numbers, Voltage says. That allows Crutchfield to use a consistent set of tokens forever, including for return customers, since every card number automatically matches to a particular token. Since the tokens are created uniquely within each retailer’s system, only Crutchfield’s servers, which saved information about mapping the tokens to the card numbers, can run the reverse process and use the tokens to retrieve card numbers, for example to handle refunds.
This is different from other security software that encrypts customer credit card information as it enters a retailer’s payment system and adds it to a database stored on either the retailer’s or a payment processor’s servers. While those systems also often use tokens to refer to encrypted card numbers, if a criminal accessed the database itself and broke the code—or managed to steal the decryption key—the card numbers would be compromised.
“Even if someone did get a hold of the lookup table, they wouldn’t know which numbers have been looked up and which have never been used, which ones attach to a credit card number,” Belgard says. “It’s just a table of every possible number.” Only Crutchfield knows which numbers in the table have been looked up and therefore represent actual cards.
When the retailer completes the overhaul of its security infrastructure this spring, 90% of its servers will contain no sensitive data, Belgard says, leaving just two servers running the Voltage software and the applications that collect card data prior to tokenization. Each of those servers is located in a separate, physically secured data center with extremely limited Internet access— they are only allowed highly restricted connections to certain applications to gather card data, which is secure socket layer (SSL) encrypted until it reaches the server, Voltage says. “It is much easier to be confident about the level of security you have when you’re just talking about two specific pieces of hardware versus hundreds of things that are handling encrypted data,” he says.
When a retailer does store encrypted data on its own servers, it must also update its encryption keys—the codes used to unscramble the data— at least annually to meet PCI standards, a time-consuming endeavor that may involve manipulating data on many machines, Belgard says. In addition to saving Crutchfield staff the effort in keeping its servers compliant with PCI rules, it will reduce the time and thereby cost of independent PCI audits the retailer pays for every few years, he says. Voltage’s technology is cheaper than a number of other similar products Crutchfield considered, he says, though he would not say how much the retailer paid. Voltage declined to reveal pricing information.
Voltage Security’s “implementation model is unique,” says Kennet Westby, president of Coalfire Systems Inc., an I.T. security auditor and consulting firm. Coalfire published a security assessment validating the Voltage technology last year. “We’ve not run into an enterprise-level model like this,” he says.
By enterprise-level, Westby refers to retailers that use tokens to handle information from potentially millions of cardholders, in which case more machines and networks end up handling that data, raising the risk, cost and effort needed to keep a retailer’s network PCI-compliant, he says.
“Typically, performance and security move in opposite directions, but not in this case,” Westby says. “The overall security of the tokenization process is actually enhanced.”
While Westby does not provide price estimates for Voltage’s or similar security systems, he says that Voltage customers have reported that the product is cost-effective.
Crutchfield is No. 123 in the Internet Retailer Top 500 Guide.