Data Security Firm nuBridges Offers Tokenization In The Cloud

A company that offers data security with a process called tokenization is about to offer the technology in the cloud. Atlanta-based nuBridges unveiled its tokenization-as-a-service (TaaS) offering, available sometime in March, at the RSA Conference 2011 going on this week in San Francisco. Tokenization is the process of creating tokens that represent data secured in another database. IT professionals can use the tokens to analyze the data in various programs without exposing the actual data.

Tokenization saves companies the time and expense of managing complex data encryption systems for compliance with industry regulations, such as the Payment Card Industry's Data Security Standard (PCI DSS) for the global credit card payment industry. NuBridges, which began offering on-premise tokenization technology in 2009, is going to offer the TaaS option to businesses that are comfortable with the cloud in general and want the cost savings and ease of use it offers, says Gary Palgon, VP of product development for nuBridges.

"We are seeing a trend of acceptance. We saw in 2010 a trend much faster than we predicted of companies not only using the cloud, but using it for production data," Palgon says. Tokenization protects sensitive data that is used throughout an enterprise but is subject to PCI compliance, which requires encryption, he says.

A retailer may process credit card transactions at numerous stores and send all that data to its corporate headquarters, where it's also used for post-transaction business processes, such as account settlement, chargebacks or sales auditing. By replacing the credit card data in those systems with tokens, IT assets aren't subject to PCI compliance. "When you look at what systems are handling credit card information, once you tokenize it, it's not a credit card number anymore," Palgon says.

Helzberg Diamonds, a jewelry retailer with 235 stores, is about to implement an on-premise tokenization software system from nuBridges, says Florian Yanez, manager of technical systems and information technology for the Missouri-based chain. By adopting tokenization, the number of IT systems, such as servers, that are "in scope," meaning subject to PCI compliance, will drop from about 400 to as few as 10, Yanez says."As we looked at [tokenization], it became much more appealing because the tokens are not PCI data, whereas the encrypted data would be. Even if we put that encrypted data out in all of  our back end systems those still would be within the PCI's scope," he says.

Besides tokenization for credit card information, it is also used to protect other personally identifiable information subject to security regulations such as data used in the health care industry. NuBridges's TaaS solution will be hosted by Verizon Business on its Computing as a Service (CaaS) platform, a public cloud service provider.

Palgon heads the PCI Security Standards Council's Tokenization Working Group, which is preparing to publish a paper in April to share guidance about tokenization in the enterprise.

See more on this topic by subscribing to Network Computing Pro Reports Request For Information: Electronic Health Records Systems (subscription required).