By Renay San Miguel E-Commerce Times
06/11/09 4:00 AM PT
E-commerce enterprises have to maintain stringent security controls over customer credit card numbers, and any part of the system that deals with them has to lock its doors extra tight. When that information is changed into a proxy number, however -- in other words, tokenized -- it can flow freely through the system, while the actual credit card number remains safe and sound in a single, secure database.
Is Your Website Killing Customer Confidence? Your Website's privacy policy can be a key factor in a customer's decision to do business with you, and it is vital to ensuring you don't run afoul of your online legal and regulatory responsibilities. Need more reasons? Read on.
It's a fact that might not bring a lot of comfort to consumers and businesses, but it's true: The methods for protecting e-commerce transactions haven't changed a great deal since online shopping became a viable option in the early '90s. SSL (Secure Sockets Layer) and TSL (Transport Layer Security) encryption are the protocols that slap on that little padlock you see at the bottom of a Web site once you've begun the purchase process.
"The SSL is still used today because it largely is pretty effective," said Mark Lieberg, information security manager,
CISSP, for 60-year-old catalog company/direct retailer
Fingerhut. "What's coming into focus more sharply is, what do we do with the data after we have it? How do we secure that data and protect it from further security risk?"
While a wider variety of methods are available to protect data within a company, the chances of losing that data due to accidents or criminal activity have risen with the growth of e-commerce: a box of data tapes falling off a truck; a laptop with sensitive information lost or stolen.
However, Fingerhut -- which ticketed US$500 million in revenue in 2008 -- has committed to a relatively new security method that helps lock down data like credit card numbers: tokenization, an encryption technology that cuts down on the number of outside eyes having access to sensitive personal data.
As the PCI (Payment Card Industry) Security Standards Council begins to look for more stringent security methods and demand compliance from participating corporations, Lieberg believes that tokenization may give e-commerce companies the best chance yet to manage security compliance in the most cost-effective way.
E-Commerce Times: What is tokenization, and how do you implement it?
Mark Lieberg: If you were a customer and came to Fingerhut's Web site and said, "I'm going to make this purchase," you would input your credit card number. That number would end up in what we're calling our "vault," a secure area of our network, and that
nuBridges product would take that 16-digit credit card number, store it, encrypt it and return a "token" -- a sixteen digit number that represents raw data -- and return that numeric value to the order-processing application. That number is not numerically related to the raw data in any way. From a security risk point of view, it's inert. If I dropped that number on the street, nobody would deduce your credit card number from those values.
Now that order-processing application has a sixteen-digit number it can use to talk to other applications -- or even for internal analysis. Your token is unique. The card-holder information is securely and more easily manageable in our vault.
E-Commerce Times: What prompted the move to tokenization?
Lieberg: We decided for 2009 to formulate a project around PCI companies, because it's very prescriptive and gives you a lot of guidance on what to do and what not to do. Because of controls that need to be built out for PCI, we would create a secure environment for the data that PCI cares about. For us -- PCI being the mandate and being the most costly challenge for most companies -- the best and most cost-effective approach is to shrink the card-holder environment to as few systems as you can, so tokenization is the most powerful way to execute on that. There's a tremendous economy of scale there for all our downstream systems. If we tokenize at the point of capture of that data, all our downstream systems have the benefit of containing no credit card information, so it's risk-inert from a PCI standpoint.
E-Commerce Times: Can tokenization be used for all kinds of customer data on the Web?
Lieberg: Not really. The biggest impact is how to protect the data once you receive it on the back end. E-commerce sites are different, but all are cut from the same cloth: They take credit card data from the customer and make some money. The game-changing capability of tokenization is around compliance and protecting customer data. It's not a panacea for all kinds of data. It works very well for numeric data. As we proceed to change the ways we protect customer information, we'll probably have a blended solution of encryption and tokenization. Fingerhut really needed a product that we could bring in-house and make part of our data privacy initiative.
E-Commerce Times: Is tokenization being widely accepted by e-commerce companies? Any statistics or quantification?
Lieberg: I don't have a good feel for who's adopting. I know of only one other company that has done it, and it's a quite different company than what we do. Tokenization as a concept is relatively new, at least to me, and as I talk to my peers out there, almost universally when I explain the concept that all say, "Wow, that's really smart." It's a great way to get a handle on private data that typically ends up in all the nooks and crannies of a company. We get in front of the stuff and tokenize it. We don't care if Bob in finance has a spreadsheet with the token. It's not really the customer's number.
E-Commerce Times: Whether it's tokenization or encryption, isn't a security method only as good as the people who install and maintain it?
Lieberg: I'd say that's absolutely true. Security is only as good as the people, and until we all have robot bodies, then maybe that won't be true anymore (laughs). Beyond that, it's really about reducing the number of eyes that can get at the raw data. We'll now have our vault area, which will have many security controls that we wouldn't have on our general production environments, including some strict requirements for authenticating that environment, strict log management to allow for who's coming and going into the vault -- all that kind of stuff you would expect. None of them are generally new, but they are very intensively maintained, and then there's a whole host of process controls, and the people who have access to that environment will simply be very, very few. It's a paradigm shift for IT and for the company in how we manage the data.
We agree with the article 100%. The first company to guarantee a users complete 100% safety ...
Next Article in Internet Fraud
An Xserve Lift, an iTunes Shift and a Gift Card Grift April 10, 2009
The run-up to June will no doubt be awash with iPhone rumor and speculation. For now, though, there's plenty of other action going on in the world of Apple to keep things interesting. This week, IT types got to pick through Apple's new servers, music fans got to pay less -- or sometimes more -- for a fix, and flimflammers may be trying to lure app developers into a scheme to wring cash from cracked iTunes gift cards.
Related Stories
PCI in the Age of Heartland May 14, 2009
It's evident that PCI compliance is not enough to fully protect credit card transaction data. Major fiascos such as the infamous Heartland, RBS WorldPay and TJX data breaches will continue to occur unless the system is fixed. One possible solution? Protection that starts at the database level.
Yes, PCI Applies to You November 18, 2008
Think you don't need to be concerned with PCI compliance because you're not an e-commerce organization? You may want to reconsider that, writes TechNewsWorld columnist Ed Moyle. Any organization that handles credit card transactions -- even if that's not its main business focus -- should abide by PCI standards for safeguarding card holders' personal information.
Why Do Bad Things Happen to PCI-Compliant Companies? October 24, 2008
All too often, compliance with Payment Card Industry security standards by no means ensures a business' credit card transactions are actually safe and sound. In fact, some of the highest-profile customer data breaches in recent memory have happened at companies that had met PCI standards. The difference between compliance and actual security is constant vigilance.
More by Renay San Miguel
Microsoft May Grease News Corp.'s Palm to Quit Google November 23, 2009
Microsoft and News Corp. are reportedly attempting to wheel a deal wherein Redmond would pay the media giant to de-list its properties from Google. News Corp. Chairman Rupert Murdoch has often expressed his frustrations with the search engine leader, and the decampment of publications like The Wall Street Journal from Google News may be a boon to Bing.
Sony Talks Up Plans for Digital Media Superstore November 20, 2009
Sony is one of the few companies in the world with an ecosystem of hardware and services that could match Apple's. It just doesn't mesh together nearly as smoothly as Cupertino's. Sony executives want to change that. They've announced plans to build an online network that ties in many of the company's products and allows users to download a wide variety of content.
Playboy's Bunny Couldn't Make the Hop to the Web November 20, 2009
The party may be winding down for Playboy. Buyers may be attempting to wheel a deal for Playboy Enterprises, which could in turn bring an end to a publication long past its heyday. It seems that a magazine that was one of the first to storm the barricades of censorship couldn't conquer 21st-century cyberspace.
Headline Feeds
since online shopping became a viable option in the early '90s. SSL (Secure Sockets Layer) and TSL (Transport Layer Security) encryption are the protocols that slap on that little padlock you see at the bottom of a Web site once you've begun the purchase process.
Talkback: 
