Voltage, RSA spar over tokenization, data protection

By Robert Westervelt, News Editor 02 Oct 2009 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Voltage Security Inc. and RSA, the security division of EMC, are exchanging blows over the best way to protect credit card data during the payment process.

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

Both vendors have partnered with different payment processors to develop slightly different methods to protect credit card data from the point a credit card is swiped at the point-of-sale (POS) system until a transaction is complete.

Voltage is partnering with beleaguered Heartland Payment Systems Inc. The processor, which was embroiled in the largest data breach in U.S. history, has vowed to shake up the industry by developing a system that encrypts data throughout the entire payment process. It has announced E3, a system that includes new credit card terminals and format-preserving encryption software that protects credit card data throughout the payment process.

Tokens: Compliance benefits of tokenization:  Tokenization not only keeps confidential data out of the hands of malicious hackers, but also offers a less expensive strategy for achieving PCI compliance. Identity management and access control expert Joel Dubin defines tokenization, examines whether or not it's effective and unveils how the technology can be used as a tool for PCI compliance.

Meanwhile, RSA announced a partnership with First Data Corp. to produce a data protection process that includes both encryption of data in motion and token technology. The tokenization would be handled by the processor and be returned to merchants, while the actual credit card numbers would be stored in a secure repository maintained by First Data. The process includes new countertop terminals for merchants or the deployment of a public key file integrated into a merchant's legacy POS software.

Both processors haven't released details on pricing. First Data said it would not charge a separate fee for storage. Heartland said it wouldn't charge additional fees beyond the cost of new payment terminals.

Voltage is critical of the First Data-RSA partnership. Wasim Ahmad, vice president of marketing at Voltage, said tokenization does not have the potential to reduce scope of a PCI assessment in the same way as true end-to-end encryption.

"Specifically, the PAN capture system and all the potentially long network paths and their security to the tokenizer are in scope, as is the tokenization engine itself, the database and peripheral systems and processes if within the merchant's own environment," Ahmad said. "Also, the related methods of authenticating every single request to the tokenizer itself must be considered in scope."

But Brian Fitzgerald, vice president of marketing at RSA, dismissed Ahmad's assertion that the scope is not reduced as a result of the use of tokens. On the contrary, a merchant's data warehouses, CRM systems and systems for settlements and refunds would be out of scope of PCI DSS under the First Data Secure Transaction Management service, Fitzgerald said.

"The card number is replaced with a token value, which can't be linked back to the card number in any way," Fitzgerald said. "The tokenization server is out of scope because it resides at First Data, not in the merchant's environment."

Under the Voltage-Heartland plan, encrypted card data remains resident in the merchant's systems and even if encrypted, the data would remain in scope for PCI DSS compliance, Fitzgerald said. The data would also have to be decrypted to provide settlements and refunds, "thus creating potential vectors of attack within the merchants' systems," he said.

Voltage's Ahmad also said the First Data-RSA service could result in latency issues on legacy POS systems as they struggle to support efficient SSL sessions from the POS to the First Data tokenizer. The performance issues could require substantial hardware changes for merchants at a great cost, Ahmad said.

But RSA's Fitzgerald said First Data has solved latency issues. Extensive tests on the encryption-tokenization approach on older POS systems showed a performance impact that was less than 200 milliseconds per transaction, he said.

SearchSecurity radio:

"In the First Data Secure Transaction Management service, public key cryptography is used to encrypt the cardholder data in the point-of-sale system and the encrypted data is then moved upstream to First Data," Fitzgerald said. "This is different from SSL in that we encrypt the data rather than the session."

Voltage's Ahmad also took issue with First Data's process of maintaining a repository of cardholder data that could be a lucrative target for attackers. The process would leave a large system footprint to attack, he said. The Heartland-Voltage system would create a repository of keys, which could be better protected, he said.

Fitzgerald said the First Data repository greatly reduces the risk of a breach since merchants would be eliminating cardholder data from their systems.

"Mr. Ahmad's claim that it is more risky having First Data store this data than it is for the merchants to store it, is like saying that it is safer to have your money hidden in your mattress rather than in a bank vault," Fitzgerald said. "First Data and RSA are essentially creating the Fort Knox of the payment processing industry."

Tags: PCI Data Security Standard,  Disk Encryption and File Encryption,  Enterprise Data Governance,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT PCI Data Security Standard Chip and PIN adoption Chip and PIN adoption serves lesson for U.S. payment industry Heartland CIO is critical of First Data's credit card tokenization plan Heartland CIO on end-to-end encryption, credit card tokenization Heartland CIO on PCI, E3 project Wireless network guidelines for PCI DSS compliance Visa probes tokens, encryption for PCI card data protection Feds push cybersecurity jobs, PCI DSS changes ahead. Experts, vendors search for PCI's holy grail The search for PCI's holy grail Disk Encryption and File Encryption Health Net healthcare data breach affects1.5 million Heartland CIO is critical of First Data's credit card tokenization plan Heartland CIO on end-to-end encryption, credit card tokenization Should developers create libraries of common cryptographic algorithms? What is an encryption collision? Heartland CIO on PCI, E3 project Visa probes tokens, encryption for PCI card data protection Truth, lies and fiction about encryption What are new and commonly used public-key cryptography algorithms? What are the export limitations for AES data encryption? Enterprise Data Governance Interpreting 'risk' in the Massachusetts data protection law Creating an enterprise data protection framework Analyst DLP study finds maturity, ranks top DLP vendors Twitter gets condemned by CISOs at Forrester forum PCI DSS compliance requirements: Ensuring data integrity Trustwave acquires data loss prevention vendor Vericept Data has become too distributed to secure, Forrester says Cloud-based security services should start private Compliance in the cloud How to write technology outsourcing contracts

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary PCI DSS (Payment Card Industry Data Security Standard )  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary