The Next Phase of PCI Security

As the newest wave of Payment Card Industry’s Data Security Standard mandates loom on the horizon, retailers are preparing data-security and payment-processing systems for compliance, and direct-to-consumer companies are no exception. Fingerhut is taking a pioneering step in the right direction with the debut of a tokenization project to further secure online payment data.

The newest PCI DSS mandate, set to hit the scene on Sept. 30, will restrict large and mid-size companies from retaining data, such as PINs or security codes, encoded on credit-cards’ magnetic stripe. Mindful of the upcoming deadline, privately held Fingerhut began conducting internal assessments not just to determine how to comply, but also to control costs associated with PCI DSS mandate and other federal laws.

Based on assessment results, the company chose first to remove sensitive credit-card data from systems within its infrastructure that captured or stored it unnecessarily. This allowed Fingerhut to eliminate costs that would be required to make those systems compliant with the mandate.

The tests also pushed the Eden Prairie, Minn.-based retailer to add tokenization. In simplest terms, the tokenization process converts a numeric sequence, such as a 16-digit card number, into a 16-digit numeric reference number that is not mathematically related to the raw credit-card number.

The token is stored in the application’s database, and the real credit-card number is encrypted and written to a secure data network inside Fingerhut, called the Vault. The Vault, also referred to as a lockbox, uses a small number of servers and network equipment to protect sensitive credit-card data.

“The tokens in the systems outside the Vault have no value to would-be hackers, since there is no way to reduce them or translate them to real credit-card numbers,” said Mark Lieberg, information security manager for Fingerhut, a direct-to-consumer company that reported $500 million in sales for fiscal year 2008.

The Vault resides in a remote section of the company’s network that is firewalled from the retail environment and mission-critical processing systems. Inside the vault are a series of controls that require stringent authorization to re-access the original credit-card data value. Also on the network is the company’s Atlanta-based NuBridges Token Manager environment, the NuBridges Data Vault and supporting payment-processing systems, which comprises 15 to 20 units.

Tokenization features prominently in Fingerhut’s data-protection strategy. For example, as Fingerhut’s order-processing system captures a credit-card number, the order-processing system uses a simple Application Program Interface supported by NuBridges to call the Token Manager and then the Vault. The Token Manager collects the raw credit-card number, encrypts it and stores it in the Data Vault. At the same time, the Token Manager system also produces a token value, which will allow it to reference the encrypted value later if needed. The token value is returned to the order-processing system. Customers never see tokens, and the order-processing system never stores any credit card-data and cannot access the Vault to reveal the raw data.

Tokenization is an evolving process, and investments vary depending on whether companies outsource the solution to technology providers or manage the project in-house. For Fingerhut, bringing the solution in-house made the most sense.

“Costs surrounding PCI DSS are substantial. Tokenization can also be an expensive strategy with host Software-as-a Service vendors starting at around a $250,000 investment,” Lieberg explained. “This doesn’t even touch the costs related directly to PCI DSS, such as the labor, security controls, process remediations and all systems impacted when card data is collected.”

For example, in 2008, Level 1 retailers, or those processing more than 6 million transactions annually, spent an average of $2.7 million to become PCI compliant, excluding the costs of PCI assessment services. That number eclipses an average of $568,000 reported by Level 1 merchants, according to Stamford, Conn.-based Gartner.

Fingerhut will expand its use of tokenization to improve protection of other sensitive personally identifiable information, also known as PII, in 2010.