Voltage Security First to Combine Encryption, Tokenization and Data Masking in Single Platform to Reduce PCI Audit Scope
September 23, 2009 — PCI SSC 2009 Community Meeting, Las Vegas, NV – Voltage Security, Inc. (www.voltage.com ), the global leader in end-to-end data protection, today announced it has extended Voltage SecureData by adding tokenization and data masking capabilities to the existing encryption functionality, enabling the end-to-end protection of data, such as credit card numbers, in applications and databases. These additions make Voltage SecureData the most comprehensive end-to-end data protection solution available, giving customers the widest choice of protection options to simplify implementation, reduce PCI audit scope and lower costs.
Now, when combined with Voltage SecureMail and Voltage SecureFile, all supported by Voltage’s common stateless key management approach, these solutions together form the first true end-to-end data protection platform with a single developer interface, common policy framework and centralized stateless key management.
“The addition of tokenization and data-masking allows customers to significantly reduce the likelihood of an expensive data breach while lowering overall PCI compliance costs, without adding to their IT administrative burden,” said Mark Bower, vice president of product management at Voltage Security. “Voltage can now meet the most common use cases for online and offline data protection, with true stateless key management. This is something no other tokenization or encryption solution can do.”
According to Ponemon Institute data referenced in a recent Mercator Advisory Group Report, enterprises now spend, on average, more than $6.65 million to recover from a single data breach. But even that may not be an option. “A data breach could kill a company,” notes Mercator Advisory Group research director George Peabody, “But tokenization and encryption are two technologies that enable a merchant to mitigate the risk and impact of a breach.”
Voltage SecureData now includes encryption, tokenization, data de-identification and masking for protection for all types of structured and unstructured data. This includes primary account numbers (PANs), Social Security Numbers (SSNs), national insurance numbers, driver’s license numbers, birth dates, files, images and other types of sensitive and private information. And, as part of the Voltage End-to-End Data Protection platform, all of these capabilities are supported by a unified architecture that offers a single developer interface, centralized administration for system configuration, policy management and key management.
Examples of how customers can harness the power of Voltage SecureData include:
- End-to-end encryption of sensitive card data for authorization and settlement within payment systems
- Encryption and/or tokenization of card data stored in databases and used by business applications, such as resolving charge-backs, or for post-settlement processes
- Data masking and data de-identification for test and outsourced environments – including packaged applications, such as Oracle E-Business Suite, reducing risk of inadvertent exposure of sensitive information
Voltage customers enjoy these benefits and more:
- Reduced PCI audit scope, costs and impact. Voltage SecureData provides production-ready data protection in 60 days or less.
- Avoidance of brand-damaging, costly breaches. Enterprises can move beyond compliance to provide data protection across mainframes, open systems, embedded devices, and mobile platforms
- Lowered IT administration burden and overhead. Unlike traditional data protection solutions, Voltage SecureData supports existing infrastructure, IT processes and policies and requires very little administration time.
Tokenization protects against data breaches by replacing primary account numbers (PANs) and other sensitive data with a different value, a “token.” The PANs and matching tokens are stored in an encrypted database, and the organization uses the token, instead of the PAN, to process and record transactions within its own systems. If hackers gain access to those systems, they only receive meaningless tokens and are unable to sell or use customer information.
In addition to improving data security, tokenization helps to limit the scope of a merchant’s PCI audit and outsource liability in the event of a data breach—an appealing combination to cost-conscious merchants, according to the Mercator Advisory Group. Recently, the amount of regulation related to data protection has risen dramatically, with 44 states passing breach notification laws, the Fair and Accurate Credit Transactions Act (FACTA) and new privacy stipulations within the Health Information Technology for Economic and Clinical Health Act (HITECH). Analysts have reported that the amount large merchants have had to spend to achieve PCI compliance has increased dramatically over time.
One of the biggest contributors to those rising costs is the expense of PCI audits. However, when an application or database uses tokens instead of actual account numbers, that system generally falls outside of the scope of a PCI audit. As a result, organizations that use Voltage SecureData tokenization capabilities can reduce the size and expense of their audits.
In order to achieve full PCI compliance, organizations must protect data in every system that uses credit card data. That means companies must address quality assurance, test, application development, and outsourced systems—not just production systems.
Voltage SecureData which already provides dynamic data protection for production systems now also provides the widest range of data masking and data de-identification options for non-production data and outsourced environments while preserving geographic and statistical relationships in the data. In addition, customers can take advantage of application metadata and automated masking rules for packaged applications such as Oracle E-Business Suite, PeopleSoft, Siebel, JD Edwards and Baan.
Voltage SecureData Masking is powered by Solix Technologies, Inc. (www.solix.com ), a leading provider of enterprise data management solutions used by large enterprise customers to manage business critical data.
Technology Innovations for End-to-End Data Protection
Several technological innovations make it possible for most customers to deploy secure data end-to-end in just weeks. First, Voltage Format-Preserving Encryption (FPE) enables data values to be encrypted while retaining their original length and format. In other words, a 16-digit credit card number is replaced with an encrypted value of the same length and structure, and, as a result, organizations do not need to make time-consuming modifications to applications or database schema. Second, Voltage Identity-Based Encryption (IBE) uses simple common identities, such as an email address, as public keys, eliminating the need to store and manage keys, dramatically reducing administrative burden.
Pricing & Availability
Voltage SecureData Tokenization and Data Masking solutions are available in October with starter kits for production applications from $65K.
About Voltage Security
Voltage Security, Inc., an enterprise security company, is an encryption innovator and global leader in end-to-end data protection. Voltage solutions, based on next generation cryptography, provide end-to-end encryption, tokenization, masking and stateless key management for protecting valuable, regulated and sensitive information based on policy. Voltage products enable reduction in audit scope with rapid implementation and the lowest total cost of ownership in the industry through the use of award-winning cryptographic solutions, including Voltage Identity-Based Encryption (IBE) and a new breakthrough innovation: Format-Preserving Encryption (FPE). Offerings include Voltage SecureMail, Voltage SecureData, Voltage SecureFile and the Voltage Security Network (VSN), an on-demand managed service for the extended business network.
As a service to the industry and general public, the company maintains the Voltage Data Breach Index and Map which is continuously updated with global data breach information: www.voltage.com/data-breach. The Company has been issued several patents based upon breakthrough research in mathematics and cryptographic systems. Customers include Global 1000 companies in banking, retail, insurance, energy, healthcare and government. To learn more about Voltage customers and sign up for the customer news letter please visit www.voltage.com/customers.
* George Peabody, Mercator Advisory Group: “Merchant Security, Tokenization and the Fairy tale of Outsourcing PCI,” March 2009.
Voltage Identity-Based Encryption, Voltage Format-Preserving Encryption, Voltage SecureMail, Voltage SecureFile, Voltage SecureData and the Voltage Security Network (VSN), are registered trademarks of Voltage Security, Inc. All other trademarks are property of their respective owners.