Direct-marketing retailer Fingerhut is undertaking a new strategy to protect sensitive payment-card information: Hiding it in plain sight through a data-scrambling method called “tokenization.”
Fingerhut's manager of information security Mark Lieberg says the strategy involves replacing the credit-card number in the database where it’s stored with a different number that’s not related. To carry out this process, called “tokenization,” Fingerhut is adding nuBridges' Protect software for encryption so the real card data is stored securely but a substitute is created when card data needs to be shared across Fingerhut’s network for any number of reasons.
“The value of tokenization is reduction in scope,” says Lieberg, noting that scope is the term used by PCI Security Standards Council in its standards to point out that anywhere in an organization a card number can be visibly read puts it under the “scope” of PCI standards.
By scrambling the real number into something different, the customer data can be more safely shared when needed by Fingerhut employees at the Eden Prairie, MN-based retailer doing routine tasks such as account-usage analysis. Various Fingerhut systems can then “be counted out of scope,” says Lieberg, which reduces risk and could make the PCI compliance process simpler.
The downside of tokenization, though, is that it does add another layer of complexity to interacting with payment-processing partners.
“The trade-off is that you have to continue to use that card value with external partners,” says Lieberg. To accomplish that, Fingerhut is installing what it calls a “lock-box for interfacing with our payment-processing partners.” This “lock-box” would allow payment-processing partners to obtain the real payment-card data.
Payment-card tokenization is a fairly new process, with a handful of competitors, including RSA and Shift4, that offer products or services to shield card numbers, says Gary Palgon, vice president of product marketing at nuBridges. Palgon says the nuBridges technology can also be used to shield other types of sensitive data, including S Social Security numbers.