Helzberg Diamonds tries 'tokenization' for PCI compliance

Tactic aims to narrow PCI 'scope' by hiding data in plain sight

Jewelry retailer Helzberg Diamonds has struggled to achieve compliance with the Payment Card Industry (PCI) data-security standards, so it is trying a new tactic: technology called tokenization that lets the retailer "hide" sensitive card data in plain sight.

PCI sets technical rules for handling payment-card information, and the difficulty that North Kansas City, Mo.-based Helzberg Diamonds has confronted has been finding a way to narrow the so-called "PCI zone" throughout the corporate network, which receives card information from more than 200 jewelry stores.

SURVEY ON PCI: How it's impacting network security

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Jewelry retailer Helzberg Diamonds has struggled to achieve compliance with the Payment Card Industry (PCI) data-security standards, so it is trying a new tactic: technology called tokenization that lets the retailer "hide" sensitive card data in plain sight.

PCI sets technical rules for handling payment-card information, and the difficulty that North Kansas City, Mo.-based Helzberg Diamonds has confronted has been finding a way to narrow the so-called "PCI zone" throughout the corporate network, which receives card information from more than 200 jewelry stores.

SURVEY ON PCI: How it's impacting network security

Among steps Helzberg is taking to do this more effectively is to take payment-card data and change it into so-called "tokenized" data, which effectively converts it from cleartext and hides it in plain sight through a number-generation scheme.

"We're trying to meet PCI requirements," says Florian Yanez, manager of technical systems, who's responsible for information security at Helzberg Diamonds. "We have some holes."

There are times when customer data has to be shared for business purposes, but wherever payment-card information goes, it has to be handled according to the many PCI guidelines. Consequently, there's a huge effort that has to be made to reduce the "scope" of the sensitive PCI data to the most limited part of the network as possible.

With the jewelry retailer's bank asking for changes regarding PCI and the PCI-qualified security assessor, Verizon Business, hired for advice weighing in as well, Helzberg has come up with a different course of action.

The retailer has already shifted from a frame-relay network to a managed VPN service from AT&T to connect from its data-processing center to its retail stores. To secure the PCI data it holds, Helzberg Diamonds considered storing it in encrypted form in its databases, which would satisfy the PCI standard. But there were some technical hurdles, including some extensive changes in database field sizes that would have been required, says Yanez.

Instead of an encryption approach, Helzberg Diamonds is using the tokenization method provided by nuBridges that lets the jewelry retailer take regular PCI data and turn it into a generated-number form that doesn't impact the database field size.

"There are very few processes that need the raw credit card numbers," Yanez notes. But in the case where there is a business purpose, the nuBridges Protect product includes a Token Manager that requires an individual to authenticate to make a request to receive cleartext PCI data.

Helzberg Diamonds anticipates completing its shift to tokenization in the March timeframe.

Tokenization is gaining more acceptance as a way to limit scope in a PCI compliance effort, and the PCI Council anticipates releasing further guidance about tokenization in April, according to sources.

Read more about security in Network World's Security section.