Crutchfield retains customer payment card information for a limited time because it may be needed in the vent of a refund or other settlement process, and currently PCI data is encrypted by means of applications developed in-house that makes use of RSA-based encryption. But after the rush of the holidays is over, Crutchfield will be updating these applications in order to support a process of "bulk tokenization" of data through the Voltage product. To gain access to de-tokenized payment information, authorized users will need to gain secure access through the Voltage security appliance.
Voltage describes its tokenization technology as using a random-number generator based on static tables unique to each customer. The security firm says it uses tables to consistently produce a unique, random token for each clear text PAN input, resulting in a token that has no relationship to the original PAN. "The tokens are irreversible without the tokenization system." Voltage asserts, saying its process "withstands cryptanalyis."
Since the Voltage appliance will become a central touch point for payment-card security, Crutchfield will be treating the appliance as priority equipment, likely running it in redundant mode, geographically distributed, among other considerations.
Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail: firstname.lastname@example.org.
Read more about wide area network in Network World's Wide Area Network section.