As more merchants store credit card data in the virtual servers of cloud-based payment systems, the challenge for security providers is to keep the data safe.
Indeed, data security in cloud-based systems has become an important issue, with the Payment Card Industry Security Standards Council this year making it a major focus of its special interest groups (see story).
Most data-security experts agree acquirers and merchants have much to learn about keeping data safe as their information flows through and is stored in the cloud (see story).
Data-security software provider Protegrity USA Inc. is working to help in the cause as it prepares to release software Feb. 28 that will provide advanced tokenization technology for use in public cloud-based systems. The Data Security Platform 6.0 software Protegrity will introduce to public cloud systems, or those open to multiple users, a tokenization technology the company has used previously in private (one owner) cloud systems, Yigal Rozenberg, Protegrity vice president of products and chief architect, tells PaymentsSource.
In addition, the new software provides tokenization, or the conversion of card or other data to a set of symbols, or “tokens,” for companies storing massive amounts of data, sometimes referred to as Big Data, Rozenberg says.
Merchants and acquirers have been reluctant to store data in public clouds because they view them as essentially open to anyone on the Internet, Rozenberg contends. Though one system is always kept separate from another within a public cloud, any interested party may use the computing-as-a-service, he adds.
“You have to make sure all of the applications for access and inside the cloud are protected,” Rozenberg says.
The new software provides those protections, helping eliminate concern about data security should someone compromise initial access controls to public clouds, Rozenberg suggests.
“By adding tokenization to the public cloud, you are storing and working with data only with token values, so it has no value or meaning to those who may try to enter without authorized access keys,” he adds.
Cloud-based systems create more locations where “data at rest” needs protection, and the new software enables merchants to tokenize data in databases, applications and other file types on the most widely used cloud servers, Rozenberg explains.
Stamford, Conn.-based Protegrity provides cloud-based protection for public clouds such as Amazon Cloud, Oracle Corp., IBM and Microsoft Corp. databases, as well as private clouds such as Teradata Active Data Warehouse, the company stated in a press release.
Large and midsize merchants with a significant number of online transactions who store data in a cloud are likely candidates to benefit from the new Protegrity software, Rozenberg says.
Rozenberg could not disclose pricing for Protegrity’s security service but says merchants or acquirers pay based on company size and transaction amount.
Some companies add expense when moving into a cloud-based system because they also want to keep data considered more sensitive stored on an in-house server instead of the cloud, he adds. “The new software can address that by making the cloud as safe as a mainframe server, thus all data can be kept in one place,” Rozenberg contends.
Various payment gateways or acquirers steer clients to Protegrity software, while some companies work directly with Protegrity because they want to own their cloud-security software, Rozenberg says.
Companies should view tokenization as part of a “security onion” that has multiple layers because strong access controls and other data protections are always needed, he adds.
Julie Conroy McNelley, senior analyst and fraud expert with Boston-based Aite Group, agrees that various methods must work to complement each other. Still, she views tokenization in the cloud as a major security step.
“Cloud-based systems represent a brave new world out there, but tokenization at a merchant site is equally applicable at the cloud level,” McNelley tells PaymentsSource. The challenge lies in protecting the data at a number of different places where it could potentially be exposed residing in the cloud, she adds.
With the Protegrity software being pushed to resolve that issue, McNelley suggests “it’s a win-win situation for the merchant and consumer.”
The PCI council last August announced guidelines for using tokenization in payment-security systems, about five months before declaring it would study the concept as it relates to cloud-based systems (see story).
What do you think about this? Send us your feedback. Click Here.