Pat Townsend Claims Industry First with Tokenization Offering
July 13, 2010 Alex Woodie
Patrick Townsend Security Solutions is taking a unique approach to data security with its latest offering, Alliance Token Manager. Like all tokenization offerings, ATM inserts a token in the place of sensitive data, making the data useless without the key, but maintaining internal consistency. But unlike other tokenization offerings, PTSS’ new i/OS-based product will generate non-recoverable tokens, which means the data can never be recovered–not even with the key. ATM is the first tokenization offering to offer this feature, PTSS claims.
Obviously, a company would never use the non-recoverable feature of ATM if they needed to access or use the data in the future. But for certain types of data–a credit card number is the most obvious and pertinent example, because of the Payment Cardholder Industry (PCI) compliance mandate that so many companies are struggling to meet–the non-recoverable function makes perfect sense, according to PTSS.
By using the non-recoverable feature of ATM, a company would no longer store an encrypted credit card number on its server or servers. Only the tokenized variant of the data–which is similar in size and shape but useless for people outside the organization–would be stored. Because the data is no longer on the System i or Power Systems server, that server is no longer required to comply with PCI or other requirements, such as HIPAA, the HITECH Act, GLBA, and state privacy laws. Because these mandates are such a burden on IT staffs, PTSS is betting that non-recoverable tokens take off in popularity.
ATM customers can use a mix of recoverable and non-recoverable tokens with their various data sets. And PTSS says that customer support activities will still be possible with the data that’s been transformed into a non-recoverable token. For example, a customer service representative will still be able to use a customer’s credit card number to look up an account, the company says.
PTSS has developed ATM to create tokens that match the characteristics of all types of data. For example, driver’s license tokens can be generated that are properly formatted for any of the 50 US states, while social security numbers generated with ATM will meet the formatting requirements of real social security numbers, PTSS says. ATM can also generate random numbers and character strings, Base16 (hex) and Base64 encoded strings, and binary numbers, PTSS says. What’s more, customers can specify that a token credit card number pass Luhn check-digit authentication (which tells a company that a credit card number is not a collection of random digits), or that it will not pass the Luhn check.
ATM runs on i/OS, and uses the key management and storage functions of Alliance AES/400, PTSS’ i/OS-based encryption and key management software. While the guts of ATM run on i/OS, PTSS offers client interfaces for Windows, Unix, Linux, and z/OS platforms, which enable customers to tokenize data residing on those platforms, while maintaining the actual data, (relatively) safe and encrypted, on the i/OS platform. That is, unless non-recoverable tokens are used, in which case the real data no longer exists anywhere on the customers’ systems.
Alliance Token Manager is available now. The software requires OS/400 V5R2 or higher. PTSS did not disclose pricing. For more information, visit the company’s website at www.patownsend.com.