RSA 2011: Why Helzberg Diamonds chose tokenization over encryption for PCI

SAN FRANCISCO — Florian Yanez, manager of technical systems for Helzberg Diamonds, is among those attending RSA Conference 2011. CSO recently caught up with him for a discussion on his company’s efforts to adopt tokens as a way to address PCI DSS’ rules on stored customer data.

CSO: Let’s start with a general picture of your organization’s main security priorities. PCI DSS requirement — particularly the parts about protecting stored data such as credit card and telephone numbers.

Yanez: Like everyone else, our biggest concern is protecting customer information and meeting the

CSO: What are some of the basics in terms of the technology you’ve deployed to address that?

Yanez: We have a security event management system in place to capture all the logs in our data center. We get alerts if anything strange shows up. We also have a vulnerability management system in the works so we can scan for all the security patches we need on a regularly basis. We want to be as up to date on patching as possible.

Also see: “Vulnerability management keeps getting sexier”

You’ve also been in the process of implementing tokenization. What led to that focus?

Yanez: For a little over a year we’ve been taking this route because tokenizing our data turned out to be the best way to address the concerns of PCI. We were originally looking for an encryption tool. We went with nuBridges as a vendor because they have an adapter tool for key management between us and our point-of-sale (POS) vendor.

Several years ago our POS vendor started adding encryption to their system. They built a key management utility with all the encryption and decryption functionality. But we realized encryption was also needed in all the back-end systems as well. To make it easier, we thought it best to use the same key for the POS vendor and back-end systems. Our POS vendor was already using nuBridge, so it made sense for us.

CSO: How far along are you in the project?

Yanez: We are not fully implemented yet. We’re almost there. But when we’re done we’ll be in a much better position in terms of PCI. This will make the PCI scope much more manageable.

CSO: How so?

Yanez: We’ll have less than 10 systems that we’ll have to worry about under PCI DSS at the corporate office, which is a huge reduction. Before we started tokenization, we had to worry about 400 systems in the corporate office.

CSO: What have your implementation challenges been thus far?

Yanez: Making the decision between tokenization and encryption was hard. At first encryption seemed like the best, most obvious approach. But the deeper we dug into it, the more we decided we needed to go the other way. Encrypted data is PCI data and is therefore under the PCI scope. Tokens are not PCI data, so all systems we put tokens on are not in scope. It made network segmentation a lot easier.

CSO: Any configuration problems?

Yanez: Yes. We are primarily a Windows shop, so when we developed in-house software to support this, it wasn’t a perfect match with the nuBridge software. But we’ve been able to work through it.