Encryption and key management.

February 16, 2010

Don’t forget about scanned images for PCI DSS compliance

Gary Palgon
Vice President, Product Management
nuBridges

The Payment Card Industry’s Security Standards Council issued a clarification about audio recordings on January 22, 2010 noting that card validation codes and values must not be stored under usual circumstances to be considered PCI DSS compliant.  PANs in the recording, of course, must be encrypted following the current standards as well.

  • Much like audio recordings, scanned images that contain the PAN and card validation codes must be addressed as well.
  • Requirement 3.3 specifically states that “displays of PAN (for example, on screen, on paper receipts) … are masked when displayed ...”
  • Requirement 9.6 notes: “Physically secure all paper and electronic media that contain cardholder data.”
  • Like the audio recordings, track data should not be stored based on Requirement 3.2 : “Do not store sensitive authentication data after authorization (even if encrypted).”
  • Images containing credit cards will need to be encrypted as required by Requirement 3.4: “Render PAN, at minimum, unreadable anywhere it is stored (including on portable digital media, backup media, in logs).”

Don’t be caught off guard as you make your way though a PCI DSS compliance audit – trace all input sources of credit cards and follow the card “information supply chain” to make sure you’ve addressed all occurrences of this sensitive data.

Are there any other areas of input that you’ve seen frequently missed during audits?


Regards,
Gary


PS... If you have not already registered, I am co-presenter for live webinar being held February 24, 2010 at 2pm EST.  Brian Grafsgaard of QBS and I will discuss "Applying PCI Best Practices to Protect PII"  Click here to register:  https://www1.gotomeeting.com/register/314351497 

Posted at 08:41 AM in Data security, Encryption and key management., nuBridges, PCI DSS, PII | | Comments (0) | TrackBack (0)

Technorati Tags: , , , ,

| |

November 11, 2009

Annual Atlanta ISSA Conference Update

First International ISSA Conference to be Held in Atlanta in 2010

Gary Palgon
Vice President, Product Management
nuBridges

The Metro Atlanta ISSA hosted its 5th annual information security conference on Veteran’s Day, November 11th, with the theme of "Magnify Your Security." It was great to see they took time out in the opening session to recognize the dozen or so Veterans among the attendees. Thanks to all of you have served and do serve our country!

It was formally announced that Atlanta will host the first international ISSA conference on September 15-17, 2010. This is great news for the ISSA community as well as for Atlanta, which has historically been the home for many security startups -- Internet Security Systems (now IBM ISS); SPIDynamics (now HP), PureWire (now Barracuda Networks), CipherTrust (now SecureComputing) and many more.

Also of interest at the annual Atlanta ISSA meeting was a presentation by Kevin Campbell of PriceWaterhouseCoopers, covering PWC’s Global State of Information Security Survey.  Lots of great and timely information about spending and security breaches.  Kevin summarized the executives’ views in the coming year as focused on looking at and placing their highest expectations on initiatives that:

  • Protect data
  • Address the big risks first
  • Pull this portfolio of multi-year investments together (strategy)
  • Reduce cost and increase efficiency
  • Prepare for a wave of new regulations (e.g. State Breach Notification Laws)

To the last point, he noted that because of the effect of the economic downturn, regulations are on the rise – led perhaps by a new wave of privacy laws.

Until next time,
Gary

nuBridges

 

Posted at 03:45 PM in Data security, Encryption and key management., nuBridges | | Comments (0) | TrackBack (0)

Technorati Tags: , , , ,

| |

April 23, 2009

The true value of data protection is to ‘let the good guys in!’

Abir Thakurta
Senior Director, Professional Services
nuBridges

With data protection as one of the key challenges facing enterprises around the world, and the need to comply with critical mandates like the PCI-DSS, encryption has become a de-facto strategic weapon in organizations’ data protection arsenals.

Encryption is a great way to protect data -- but it comes with some limitations. Limitations that pose real-world problems in implementing encryption technologies.

The three big barriers to implementation of traditional encryption technologies are:

  1. Format preservation and data integrity of sensitive information when it is processed or analyzed by various business intelligence and analysis tools.
  2. Application or database modifications to accommodate cipher text changes to the sensitive information.
  3. Performance penalties with cryptography processes and algorithms that perform encryption.
    But data protection is not just about encryption technology. And it is not just about keeping the bad guys out (and sometimes the good guys too!).  The true value of data protection is its ability to ‘let the good guys in.’  This helps create a balance of appropriate data security and business continuity so enterprises can run their business while protecting their sensitive, business-critical and regulated data. 

Tokenization as a concept is simple yet powerful. How can we replace sensitive information with a surrogate token? A token that does not compromise the actual data, yet allows enterprises to go about doing their business with the applications that work with that sensitive information?

The key to tokenization is to produce a surrogate token that has a 1:1 relationship with the sensitive information. Not only for data integrity but also to ensure that no mathematical relationship exists that would be subject to dictionary or mathematical attacks. So if the token is ever accessed by a malicious user, it cannot be traced back to the original sensitive information. This, of course, requires a secure data vault where the relationships are stored, the sensitive information is protected and appropriate controls are exercised for limited access to users who can actually reveal a token.

Now think about a technology that can generate format-preserving tokens (so a 16 digit AMEX number still looks like one but isn’t one) and insert them in place of the sensitive data, then encrypts the original data and stores the cipher text in a central data vault.  This allows applications to work with the information and process it, eliminates cipher text instances throughout the enterprise (thereby de-scoping applications from PCI-DSS-type compliance requirements) and prevents malicious users from doing something with the data if they get their hands on it.

At the end, combining encryption with tokenization is a powerful data protection solution for many enterprises.  And as proven with many nuBridges’ enterprise implementations, working with a technology that supports encryption plus Format Preserving Tokenization provides unequalled data protection.

Let me know if you want to discuss more on how this technology works and how it can be implemented in your enterprise!

Look forward to hearing from you,

Abir

Posted at 12:09 PM in Data security, Encryption and key management., PCI DSS | | Comments (1) | TrackBack (0)

| |

December 30, 2008

Situation: New Year’s Party 2008 – “Now tell me what you do again”

Gary Palgon

Vice President, Product Management

nuBridges

Being in the software industry for more than 18 years, I’ve rarely been successful at explaining what I do to family and friends. They know I do something with computers but it stops there. They have no idea what B2B, MFT, ERP, SCM, or any of the other TLAs (three letter acronyms) that I refer to means.

But that’s all changing now. I’ve figured it all out. A good friend of mine, Robert, who is in the same industry as me told me years ago that he “just wanted a job where when he said it, everyone knew what it was.” Like a painter. Or an electrician. Or a mail delivery person. Or President of the United States.

With nuBridges being The Secure eBusiness Authority, it’s real obvious that we deal with security and eBusiness, with the latter explained as electronic business within a company or with business partners. However, given the onslaught over the last four years of data breaches involving credit card information and other personally identifiable information (PII ) – see there’s a TLA again – everyone knows that credit card numbers must be protected by retailers and other companies.

So, since nuBridges Protect solutions do secure credit card information for numerous major retailers worldwide, in 2009 my explanation of what I do will be greatly simplified and widely understood. Though I’m starting in 2008. When I’m at a New Year’s Party on December 31st, 2008, and someone asks me what I do, I’m going to simply say, “My company secures credit card information so it does not get stolen.” Simple, yet understandable.

And then I’ll go on to tell them that we deal with business-to-business data security, helping companies secure data at rest, and in transit, within the company’s four walls as well as with their business partners – up and down the supply chain! Now, tell me what YOU do again!

Happy New Year!

Gary

Posted at 12:09 PM in Encryption and key management., nuBridges, PCI DSS | | Comments (0) | TrackBack (0)

| |

August 14, 2008

Cybercrooks and the Olympics. Think before you click.

Kim Addington
Chief Marketing Officer
nuBridges

Cybercrooks and spammers are having a field day during the Olympics. According to BBC News, the volume of junk email messages with an Olympic theme spiked prior to the opening ceremony. These messages try to trick people into visiting fake sites or opening booby-trapped attachments. The games these crooks and hackers play– phishing, spam, malware and data hijacking -- don’t have any rules.

News reports of the past week have spotlighted a number of instances where malicious cybercrooks are luring unsuspecting Internet users to click on compromised Web sites and handing over their personal information. There has even been a campaign that used emails crafted to look like they had been written by the International Olympic Committee.  Think before you click!

Even with millions of dollars spent by Olympic games organizers on building a robust and secure IT infrastructure, athletes, fans, officials and foreign visitors can remain vulnerable to data loss and theft.  Thousands of handheld devices and laptop computers are traveling with the athletes, fans, games officials and foreign visitors – subject to theft or loss. Any sensitive data stored without robust data protection software is fair game to these cybercrooks. There will always be hackers and spammers and they’ll always grasp opportunities like the Olympics to do their mischief, so it’s up to the individuals and businesses that transmit or store sensitive data to make absolutely certain that it’s protected.  One winning way to guarantee that protection is through encryption of the sensitive data right at its source.

Do you have an example of Olympic-related data loss? We’d love to hear about it.


Talk soon,

Kim

Posted at 03:38 PM in Encryption and key management. | | Comments (1) | TrackBack (0)

| |

Recent Posts

Recent Comments

Categories

Archives

More...

Subscribe to this blog's feed

About

nuBridges Web sites

Twitter Updates

    follow me on Twitter