It’s a fact that might not bring a lot of comfort to consumers and businesses, but it’s true: The methods for protecting e-commerce transactions haven’t changed a great deal since online shopping became a viable option in the early ’90s. SSL (Secure Sockets Layer) and TSL (Transport Layer Security) encryption are the protocols that slap on that little padlock you see at the bottom of a Web site once you’ve begun the purchase process.
“The SSL is still used today because it largely is pretty effective,” said Mark Lieberg, information security manager, CISSP, for 60-year-old catalog company/direct retailer Fingerhut. “What’s coming into focus more sharply is, what do we do with the data after we have it? How do we secure that data and protect it from further security risk?”
While a wider variety of methods are available to protect data within a company, the chances of losing that data due to accidents or criminal activity have risen with the growth of e-commerce: a box of data tapes falling off a truck; a laptop with sensitive information lost or stolen.
However, Fingerhut — which ticketed US$500 million in revenue in 2008 — has committed to a relatively new security method that helps lock down data like credit card numbers: tokenization, an encryption technology that cuts down on the number of outside eyes having access to sensitive personal data.
As the PCI (Payment Card Industry) Security Standards Council begins to look for more stringent security methods and demand compliance from participating corporations, Lieberg believes that tokenization may give e-commerce companies the best chance yet to manage security compliance in the most cost-effective way.
E-Commerce Times: What is tokenization, and how do you implement it?
If you were a customer and came to Fingerhut’s Web site and said, “I’m going to make this purchase,” you would input your credit card number. That number would end up in what we’re calling our “vault,” a secure area of our network, and that nuBridges product would take that 16-digit credit card number, store it, encrypt it and return a “token” — a sixteen digit number that represents raw data — and return that numeric value to the order-processing application. That number is not numerically related to the raw data in any way. From a security risk point of view, it’s inert. If I dropped that number on the street, nobody would deduce your credit card number from those values.
Now that order-processing application has a sixteen-digit number it can use to talk to other applications — or even for internal analysis. Your token is unique. The card-holder information is securely and more easily manageable in our vault.
E-Commerce Times: What prompted the move to tokenization?
We decided for 2009 to formulate a project around PCI companies, because it’s very prescriptive and gives you a lot of guidance on what to do and what not to do. Because of controls that need to be built out for PCI, we would create a secure environment for the data that PCI cares about. For us — PCI being the mandate and being the most costly challenge for most companies — the best and most cost-effective approach is to shrink the card-holder environment to as few systems as you can, so tokenization is the most powerful way to execute on that. There’s a tremendous economy of scale there for all our downstream systems. If we tokenize at the point of capture of that data, all our downstream systems have the benefit of containing no credit card information, so it’s risk-inert from a PCI standpoint.
E-Commerce Times: Can tokenization be used for all kinds of customer data on the Web?
Not really. The biggest impact is how to protect the data once you receive it on the back end. E-commerce sites are different, but all are cut from the same cloth: They take credit card data from the customer and make some money. The game-changing capability of tokenization is around compliance and protecting customer data. It’s not a panacea for all kinds of data. It works very well for numeric data. As we proceed to change the ways we protect customer information, we’ll probably have a blended solution of encryption and tokenization. Fingerhut really needed a product that we could bring in-house and make part of our data privacy initiative.
E-Commerce Times: Is tokenization being widely accepted by e-commerce companies? Any statistics or quantification?
I don’t have a good feel for who’s adopting. I know of only one other company that has done it, and it’s a quite different company than what we do. Tokenization as a concept is relatively new, at least to me, and as I talk to my peers out there, almost universally when I explain the concept that all say, “Wow, that’s really smart.” It’s a great way to get a handle on private data that typically ends up in all the nooks and crannies of a company. We get in front of the stuff and tokenize it. We don’t care if Bob in finance has a spreadsheet with the token. It’s not really the customer’s number.
E-Commerce Times: Whether it’s tokenization or encryption, isn’t a security method only as good as the people who install and maintain it?
I’d say that’s absolutely true. Security is only as good as the people, and until we all have robot bodies, then maybe that won’t be true anymore (laughs). Beyond that, it’s really about reducing the number of eyes that can get at the raw data. We’ll now have our vault area, which will have many security controls that we wouldn’t have on our general production environments, including some strict requirements for authenticating that environment, strict log management to allow for who’s coming and going into the vault — all that kind of stuff you would expect. None of them are generally new, but they are very intensively maintained, and then there’s a whole host of process controls, and the people who have access to that environment will simply be very, very few. It’s a paradigm shift for IT and for the company in how we manage the data.