Townsend Security Data Privacy Blog

DOWNLOAD WHITE PAPER Download our AES Encryption Strategies: A White Paper for the IT Executive and learn more about deploying an encryption solution. Click Here to Download Now

Many IT executives are now faced with the urgent need to secure sensitive data on their computing systems in a very short period of time.  Decisions need to be made on what data security solutions to use, which projects need priority, and how to make the best use of available resources. The need to deploy better data security has arisen quickly and many IT executives feel the need for more information.

The data security solutions you select now will be in use for many years to come.  Over time, these solutions will be integrated into almost every major application in your IT environment.  Selecting the right solution now is an important first decision, whether that decision is to develop data encryption capability in-house, or to work with a data security solutions provider.

Here are some key questions to consider when making this decision:

• Who will be able to provide us with mature guidance on the appropriate use and implementation of encryption?
• Encryption is a complex technology - do we have the expertise and resources to do this on our own?
• Data security is incorporated into a number of regulations that control our Enterprise, are we using the right technology to satisfy these regulations? And will our solution help us minimize legal liability?
• Will our data security solutions easily extend to new requirements? We need to secure credit card numbers today. What about tape encryption, spool file reports, and IFS files? Will our data security technology lend itself to new uses?
• We transfer data between diverse systems in our internal network, and between customers, suppliers, and employees. Will our solutions meet all of these needs?

For further information and strategies for beginning and encryption project, download our White Paper titled AES Encryption Strategies: A White Paper for the IT Executive.

Last week we posted part one of our two-part series covering XML & Web Services.  This second half covers how organizations are currently using web services, how the technology can increase revenue, and how the technology can reduce costs.  For even more information, we have made a recorded webinar available titled "XML & Web Services - How to Win More Business."

How are organizations currently using web services?

There are lots of ways web services are being used to help companies do business and make business work well.  Definitely in back-office processing, we see orders being placed via web services -- shipment requests, notification of order status, all types of business transactions that you can imagine are quite easily implemented as a web service.  So, sort of that fundamental day-to-day operational side of web services are there.  And then you see some really creative kind of things.  You see things like Microsoft SharePoint which provides a web service based collaboration tool that helps people share information and collaborate on documents.  These are powerful technologies that can really be used in a number of different ways.  So, really, almost any interaction that you have that involves information is quite susceptible to being engineered through web services. 

How can the technology increase revenue?

View Recorded Webinar Now

Well, think of new business.  Sometimes, when you want to bring onboard a new customer there is going to be some data interchange that you have to do with that customer.  Web services can make that really easy and fast to do.  Web services can really be an enabling technology to on-board entirely new sets of customers – perhaps in lateral opportunities.  In terms of increasing revenue, that is probably the main way we see XML and web services being deployed.

You mentioned that this technology can also reduce costs.  Can you explain?

In today’s world there can still be a lot of manual work as we move data through our various applications.  Web services can automate that.  We can gain efficiency within our own organizations by automating a lot of these processes.  So, again, XML and web services can be the transport mechanism or the enabling technology for these processes to happen automatically.  We push out inefficiencies, we automate processes, we make data flow faster, which then can improve customer service.  So XML and web services can be an important efficiency tool within an organization as well.

Are there any specific cost savings for our listeners who implement a SharePoint server?

A SharePoint server is a Microsoft server based product that is a collaboration tool and it really lets people in geographically different locations share information in real-time.  So you can push a document up to a SharePoint server, someone else can get notified that the document is available, and then immediately take a look and work on it. This is all done with a web services type of implementation.  Or imagine you are on an IBM Mainframe where you are running back-office applications. What if your daily reports could automatically be published to a SharePoint server and made immediately available to the people who need them?  You can now reduce printing costs, time for the information delivery, and you make that information much easier to share.   So this technology is really helpful for pushing cost out of an organization.

Are there any companies we might recognize using your XML?

Sure!  PotteryBarn is using the RightNow CRM and they needed a way to do bulk data transfers to a SharePoint server hosted by RightNow.  Our Alliance XML/400 was able to do that.  In this case, the payload was an Excel CSV file that had to be shared between PotteryBarn and RightNow.  Our technology made this sharing take place.

How complex is the implementation of XML and web services technology?

That’s a good question.  Let me take that in two parts.  XML and web services technologies have a fair amount of complexity in them.  You have issues of security with HTTP/HTTPS implementations and you have the complexities of dealing with XML payloads - they have to be parsed properly to extract data and make it useable. 

Encryption and encoding becomes an integral part of this technology, so there are a fair amount of really complex technologies integrated into a web services solution.  However, the actual solutions that get deployed don’t have to be complex. 

For example, in Alliance XML/400 we make the implementation of the client and server applications very simple.  They are natural native interfaces on the IBM i that any developer can use if they wish.  So in our solution we tried to hide the complexities of all these technologies in the solution itself, so that our customers don’t have to deal with that.  I think that deploying XML and web services with our product is a very straightforward and easy thing to do. 

We have had people in a very short period of time get up and running with integration with their customers – in as little as a couple of days.  This is something that can be deployed quickly.  Good solutions hide those complexities so that people can get on with doing business and not spend their time fussing around with the technology itself. 

This has been some great information.  Is there anything else you would like to say before we are done?

XML and web services are really enabling tools.  We are living today in a difficult economic time and yet the most successful companies are moving forward.  They are working to engage new opportunities, to reduce cost out of their organizations, and XML and web services technologies can help with this process.  So, being positive and looking for opportunities and being sure to look at the payback for web services as part of the whole picture is really important.

For more information on XML & Web Services, view our webinar titled "XML & Web Services - How to Win More Business."

 

XML and web services are tools that can help your organization respond faster to opportunities, win more business, and reduce costs.  Recently I was able to sit down with Patrick Townsend, Founder and CTO of Townsend Security, to discuss XML & web services.  One thing became crystal clear – using XML and web services does NOT have to be a hard project, in fact it can be relatively easy.

How can XML and Web Services improve an organization’s bottom line?

View Recorded Webinar Now

XML and web services are really designed to help make integration within an organization and between organizations a lot easier.  This technology is designed for the Internet and is an easy to implement integration strategy.  Companies can begin putting applications together within the organization and then start to work to integrate with their customers and service providers.  XML and web services makes business a lot easier to do.  And XML is a great technology for making this happen very quickly.  XML is a very light-weight technology, easy to implement, and very platform agnostic.  So anyone, with the right set of tools, which are not expensive, can begin doing this kind of integration very quickly.

Can you give me a brief overview of how XML and web services work together?

Well, there are several components to web services.  The first is you have a communications layer, which is based on HTTP and HTTPS – the same communications technology we have in our browsers on our PCs.  So the internet HTTP technology is the backbone of web services.  Communications are one big chunk of what web services are all about.

Next you have data that you are pushing between a client and a server, or between yourself and a customer.  This payload is usually in XML format -- which is again, an industry standard well adapted for the Internet.

Then you typically have client and server backend processes.  If I send an order to a customer over the internet in XML format, there needs to be a backend process that can receive that XML document, process it into the back-end order system, and properly handle the data.

So these are the fundamental components – communications, XML payload, and processing capability on both ends – that really make web services go.

What essential components would an organization need?

Since most of the web services are automated, you need a good client application and a good server communications application.  Where as you are browsing on your PC with Internet Explorer or Firefox, you are using a pre-packaged client going to a web server.  In web services between businesses, the client is usually an application, so you need some kind of client application capability that can perform the communications automatically.  In other words, there is not a human being there who is going to initiate a browser session.  It is going to be an automated process.  Likewise, on the receiving end, or the server end of the process, you need a server capable of receiving an XML web services request and invoking the backend application.  And almost always that means something that can parse an XML payload and make that information useable within the backend application.

What can you tell us about Townsend Security’s XML product?

Alliance XML/400 is an IBM i solution and it provides all of the components that a customer needs to really deploy web services on the IBM i platform.  It provides the communications transport – both the client and the server side, it provides the ability to form XML documents out of standard database information, and it provides easy mapping so that complex programming is not required.  It gives the IBM i enterprise customer that ability to easily and quickly deploy web services and take advantage of the technology.

 

This concludes part one of Gaining Efficiency & Business with XML & Web Services.  We will post the second half at the beginning of next week.  Until then, we have made a recording of our webinar "XML & Web Services - How to Win More Business" available for further information.

 

Much like going to the gym, not many people wake up in the morning and say that they want to start an encryption project.  It can take a little knowledge and some hard work to be done correctly.  But the results of both provide benefits far beyond their initial investment.

First, like a proper workout, there are two parts.  There is the encryption process and the often after-thought of key management.  You need both for a successful and compliant data privacy solution.  This is much the same as hitting the gym.  You need to do your weights as well as run on the treadmill for a comprehensive workout.  Just because you are encrypting, doesn’t mean that you are doing it correctly, or will pass any sort of audit for that matter.

Next comes the personal trainer, or in the case of data privacy, regulatory compliance regulations (PCI DSS, HIPAA/HITECH, FFIEC, etc). Privacy regulations show you proper form.  They spell out exactly what you need to be doing to meet compliance regulations.  Check out the concepts in PCI DSS Section 3 for encryption and key management requirements.  Not only are privacy regulations helpful for providing best practices, but also in most cases apply directly to your business (PCI DSS, state privacy laws, etc.). 

Sometimes difficult to meet, compliance regulations are a good thing.  They are what protect your and my personal information.  One good way to ensure you are going down the right path is to use NIST-certified AES encryption and FIPS 140-certified encryption key management.  These certifications assure that the solution is proven and validated by a third-party.  It is a very expensive and time intensive process, but ultimately assures the encryption and key management solutions can meet the most stringent privacy regulations.  Only the very best encryption and key management offerings can do this.

Why make your workout harder than it needs to be?  Start your workout right from the beginning and you won’t be throwing your back out later (did you know an average data loss costs a company over $200 per record?).  Believe it or not, there are still some “encryption” solutions that aren’t NIST-certified.  Some companies say “we meet the standards of NIST and FIPS regulations”, but have nothing to prove it.  If you dig a little deeper you’ll see NIST has no record of them.  It’s kind of like trusting an infomercial that says all you need to do is use their contraption for three minutes a day and you’ll look like a body-builder.  I’d rather spend my time and efforts sticking to a proven method for getting in shape.

For more information on encryption and key management, download our white paper titled “AES Encryption and Related Concepts.”

 

With the growing demand for regulatory compliance and concern for data privacy, organizations are taking advantage of encryption as a way to provide a "defense in depth" solution.  This approach is often impractical using only database encryption management tools alone.  Townsend Security has addressed this with their Alliance Key Manager Hardware Security Module (HSM).  Alliance Key Manager is a FIPS 140-2 certified solution that stores encryption keys on a hardware appliance.  This is a more secure approach and better meets compliance requirements because encryption keys do not reside with the encrypted data.

So what does an organization need to look for when selecting an encryption key management HSM?

1) Cost Effective
Cost should not be a barrier to compliance.  Townsend Security's encryption key management HSM is an affordable solution that can scale from small and medium sized organizations to the largest Enterprise.

2) Meet Compliance Requirements
Compliance regulations require encryption keys to be stored separately from the encrypted data to meet Separation of Duties and Dual Control best practices.  It is important to enforce separation of duties if you are trying to meet PCI-DSS.  This means preventing administrators from having access to both the encrypted data and the encryption keys.

3) Invest in a FIPS 140-Certified Solution
This gives you assurance that your encryption key management solution is certified to the highest standard for regulatory compliance.

4) Easy Integration
It is important that your encryption key management solution connects effortlessly to your applications and databases.

5) Automated Key Management Process
Your organization can save time and money when addressing compliance requirements by choosing an encryption key management HSM that automates all of your essential key management tasks - including rotation, retrieval, and generation - from one server or man, in a central location.

Want to learn more?  You can view a pre-recorded webinar titled "Encryption Key Management Simplified" and learn how encryption key management can be easy, why encryption key management is important, and what the barriers are to good encryption key management.

 

Last week we hosted a well-attended webinar titled "Encryption Key Management Simplified - Removing Complexity and Cost."  The focus was on meeting compliance regulations for managing encryption keys and that it doesn't need to be complex or costly - as long as you are using the correct tools.  Patrick Townsend, founder and CTO, received a lot of great questions during the webinar and wanted to share a few of them in our blog.  If you missed the webinar and would like to view it now, click here.

My PCI auditor told me that I need to separate my encryption keys from sensitive data.  Will a key management solution help with this?

Yes.  Absolutely.  That is typically what auditors expect you to do - to use a key management solution to separate the keys from the data that they protect.  So, within the PCI DSS world, for example, there are the concepts of dual control and separation of duties.  You accomplish separation of duties through procedural controls after you deploy a key management server.  You will find references in the navigation guide for PCI DSS around proper encryption key management.  There is a clear recommendation in Section 3 of the PCI DSS that people use professional encryption key management solutions and Alliance Key Manager is exactly that kind of solution.  By the way, it is just impossible on any platform to achieve best practices for key management by having the encryption keys on the same platform as the protected data - whether it is an IBM AS/400 where you have a security officer who has all control, or Windows with an Administrator Account that has high authority, or Linux and UNIX where you have root authority users.  It's just not possible to practically achieve they type of separation of duties and dual control that you need.  In almost all cases, Compliance Auditors are really looking to find proper key management and systems in place like Alliance Key Manager to meet that requirement.

On the IBM i, IBM has implemented a key store.  Why wouldn't I just use the IBM key store?

Well, the IBM i key store is, as it's name implies, is not an encryption key management system at all.  It's a place to store encryption keys.  I think like any platform where you have one or more very highly authorized users you have the problem of achieving dual control and separation of duties.  I'm not picking on the IBM i platform here, I think that platform has generally speaking good security, but you cannot achieve dual control or separation of duties on that platform.  Not only does the security administrator have all authority to any database and the key store, but also any user with All Object Authority has the same level of security.  In a typical IBM AS/400 shop, there are a lot of people who have that authority.  So the key store on the IBM i platform just won't give you the ability to achieve these compliance requirements for separation of duties and dual control.  You really need to deploy a solution that is specifically designed to manage keys through the entire life cycle.

How do you keep system administrators from getting at the data and the keys at the same time?

Through the use of an encryption key management system, you would have a security administrator responsible for creating encryption keys, and a different database administrator responsible for granting access and setting up tables and that person would have access to the data.  But if the data is encrypted properly, and you are using proper encryption key management techniques, that database administrator will not have encryption keys and the encryption key management administrator will not have data access.  This is the whole concept of separation of duties - that you have different people.  To achieve that kind of compliance or security architecture, it means you have to have technology and procedure controls around this deployment.  So you have to have some people who are responsible for the data who never see encryption keys and some people who are responsible for encryption keys who never see data - so there is a combination of technologies and procedures that are required.  If you don't have the right technology, then you can't prevent these two from interacting - so that is why encryption key management is such an important part of a data protection strategy.  You really need to be able to have that separation of duties to achieve that.

To view the webinar "Encryption Key Management Simplified - Removing Complexity and Cost" in it's entirety, click here and be sure to let us know if you have any further questions.

 

When encrypting data, the most widely accepted cryptographic standard is the Advanced Encryption Standard (AES).

AES is defined by the National Institute of Standards and Technology (NIST) in the FIPS-197 standards document. AES supports nine modes of encryption, each of them having been extensively tested and vetted for security, recovery, and durability. When compliance regulations make reference to “industry standard encryption”, they are referring to the encryption modes identified in the NIST documents on AES.

Other modes used in AES are not NIST certified and are not even certifiable. Some products offer only the CUSP mode of encryption, which is not NIST certified and not certifiable. CUSP mode encryption is only implemented on IBM i and IBM z platforms and is not interoperable with other encryption modes. The CUSP mode of encryption has not been proposed or adopted as a NIST standard, and has not been generally reviewed or accepted by the professional security community.

Modes of encryption are recommended by NIST after they have been extensively reviewed by the professional cryptographic community. This is an international group of cryptographers whose long experience and analytic work are important to the vetting of proposed modes of encryption. In some cases it takes years of work before a mode is approved by NIST; many mode submissions are never approved for use.

There are several potential problems related to the use of the CUSP mode of AES encryption.

The CUSP mode of encryption is not included in the NIST list of recommended modes, and has not been submitted to NIST for consideration. It is therefore not a part of the NIST standards, or of any other generally accepted body of standards, and has not been formally reviewed by the cryptographic community. Therefore, the use of CUSP mode would be outside the scope of most data security regulations.

Further, there is no NIST certification protocol for the CUSP mode of encryption. It is not possible to claim that an encryption product using CUSP has been certified by NIST, or that it is in anyway compliant with the NIST standard.

Organizations contemplating the CUSP mode of encryption should be aware that their data protection mechanism could fail to provide “safe harbor” from breach notification requirements, and may not limit their legal liability in the event of a data loss.

The solution?  Most software vendors choose to certify just one or two modes of encryption, and on one key size. The Townsend Security Alliance AES Encryption products are NIST-certified on the five commonly used modes for data encryption, and all three key sizes for all major Enterprise platforms (Windows, Linux, UNIX, IBM i, and IBM z).  Townend Security Alliance AES Encryption is certified, compatibile, and complete.

Download a free 30-day evaluation of our Alliance AES Encryption now.

System logging has become one of the most essential tasks of contemporary corporate IT.  Several IT standards and regulations, primarily in the interest of traceability (e.g.: PCI-DSS, SOX, etc.) now require it.

Like other IT projects, the implementation of up-to-date logging also requires careful planning.  For example: systems need to be monitored and the parameters related to security and archiving need to be defined.  Apart from the pure technical aspects it is also recommended to take into consideration several other factors that can not only make a log management system more cost-effective, but can also prevent organizations from having to face difficulties in the future.

With many years of system logging under our belt, we bring you the six fundamentals of system logging:

1) Invest in a Reliable Logging Solution

There are differences among logging solutions in respect of reliability.  The traditional and well-spread protocols were not developed for secure message transferring; therefore the devices applying them do not comply with the needs of organizations governed by different regulations.  If your organization is under any compliance regulations (PCI, SOX, HIPAA, etc.) it is highly recommended to ensure that your central logging infrastructure is reliable.

2) Make sure your logging solution has customized alarms and reports

Alarming and report-making modules are features of a good logging management system because they provide the tangible “end-products” of log management that have to support both the work of operators and the execution of the tasks of specialists responsible for security.  The exhaustiveness of the reports and the sensitivity of the alarms always have to be adjusted to the available quantity of the human resources processing them.

3) Define what to collect, what to analyze, and what to archive

Compliance regulations play an essential role in defining the exhaustiveness of system logging.  For example, section 10.3 of PCI DSS states that all events of all system components – at least data referring to the users identity, the type of event, the data and time of the event, and the origin of the event, name, successfulness or refusal have to be registered.  A huge amount of time and money can be saved if the irrelevant pieces of information can be successfully eliminated before analysis and archiving.

4) The infrastructure providing the time stamps and certificates is a critical point

When setting up a logging infrastructure due to critical business processes or meeting compliance regulations (e.g.: PCI-DSS), it is important to ensure privacy and confidentiality, and the high availability and security of the sub-system providing certificates and timestamps for strict sequence numbering.  Forging the time or the certificate means a fundamental attack against the logging infrastructures; therefore the corruption of these sub-systems questions the authenticity of the whole system itself.

5) Sensitive data needs to have regulated accessibility

All components of the logging system have to be handled as critical systems – including the log files themselves, which could entail such sensitive data as passwords and personal data.

6) Constantly be logging

In the case of each and every logged business process, consider carefully whether it is essential or not for them to be operating without logging as well.  The developers of syslog-ng have taken several steps in order to ensure uninterrupted logging.  The syslog-ng Premium Edition saves the messages on the local hard disk when the central logging server or network connection becomes inaccessible.

Summary

Logging is a must.  Download a free 30-day evaluation of syslog-ng Premium Edition now.

 

What is NIST?

The National Institute of Standards and Technology (NIST) is a US government agency that is a part of the Department of Commerce. The NIST sets non-military government standards for a wide variety of techn ologies including data encryption. Because the NIST uses an open and professional process to establish standards, the private sector usually adopts NIST standards for commercial use. The NIST is one of the most trusted sources for technology standards.

What is AES?

The Advanced Encryption Standard (AES) is the standard for data encryption adopted by the NIST in 2001. This encryption standard replaced the earlier Data Encryption Standard (DES). The DES encryption standard became weaker due to the advancing power of computer systems. The NIST began a process in the late 1990’s to find a replacement for DES. After a lengthy examination of several alternatives, the AES standard for encryption was adopted and codified as FIPS-197. AES encryption is now the de-facto standard for strong data encryption.

What is AES Validation Testing?

NIST sets the standard for AES encryption testing, and charters independent labs to administer and oversee the testing process. Through the National Voluntary Laboratory Accreditation Program (NVLAP) the NIST certifies independent testing labs for the Cryptographic Module Validation Program (CMVP). Data security software vendors administer the tests, validate the results, and submit the results to the NIST for acceptance. Software vendors work with an independent certification laboratory and not with the NIST directly.

The NIST established five methods, or modes, of encryption that can be used with AES. These are Electronic Code Book (ECB), Cipher Block Chaining (CBC), Counter (CTR), Output Feed Back (OFB), and Cipher Feed Back (CFB) modes. There are separate tests for each mode. A software vendor can choose to validate on only one mode, a subset of the five modes, or all modes of encryption. In addition, the NIST defines three key sizes for encryption: 128-bit, 192-bit, and 256-bit keys. A software vendor can choose from one to three key sizes to certify.

Most software vendors choose to certify just one or two modes of encryption, and on one key size. The Alliance AES Encryption products are certified on ALL five modes of encryption, and all three key sizes.

Certification Means Strong Encryption

NIST certification is your assurance that a vendor’s AES encryption solution implements data encryption the right way. There are many ways to use encryption and a wide variety of modes of encryption. Improperly implemented solutions may work for one type of task, but fail under different application requirements. All software vendors claim they implement strong encryption. Can they prove it? Ask them for their NIST certification.

Certification Means Compatibility

One of the biggest challenges facing Enterprise customers is encrypting and decrypting data on a variety of platforms. Data may be encrypted in an Oracle database, then transferred to Microsoft SQL Server, then to an IBM i (AS/400) platform. Computer vendors use different methods of encryption, and different modes of encryption. How can you be sure that your encryption solution will be able to handle all of your requirements?

The NIST certification provides the assurance you need that your software is up to the task. Certified software must work the same way for all of the NIST defined encryption tasks.

The Alliance AES solutions provide even more assurance of compatibility – Alliance AES solutions are certified on all key sizes and all modes of encryption. No other data security vendor provides this level of certified support.

Alliance AES Encryption on Every Enterprise Platform

The modern Enterprise uses a wide variety of server platforms from a number of different vendors. In addition, data is exchanged with customers, vendors, and service provides outside the organization. To meet these challenges the Alliance AES Encryption products are certified and available on all Enterprise platforms including:

•  Microsoft Windows (2000/XP/2003)
•  Linux (SUSE and Red Hat, on Intel and POWER)
•  UNIX (AIX, Solaris)
•  IBM i (AS/400, iSeries)
•  IBM z (mainframe)

All of the certified Alliance AES encryption solutions work the same way on every platform.

Townsend Security is currently offering a free 30-day evaluation of the Alliance AES encryption solution for your platform.

As companies work to meet regulatory requirements to protect Personally Identifiable Information (PII), one option to minimize the risk of loss is to replace sensitive data with a non-sensitive replacement value, or “token.” 

Tokenization is the process of replacing sensitive information, such as a credit card or social security number, with a non-sensitive replacement value. The original value may be stored locally in a protected data warehouse, stored at a remote service provider, or not stored at all.  The goal of tokenization is to reduce or eliminate the risk of loss of sensitive data, and to avoid the expensive process of notification, loss re-imbursement, and legal action.

There are three primary approaches to tokenization:
    •  Tokens are recoverable and stored by external
       service providers
    •  Tokens are recoverable and stored locally
    •  Tokens are not recoverable

The first method of tokenization uses external storage of recoverable tokens and is implemented by a small number of credit card authorization networks.

The second approach to tokenization involves the creation and storage of the token on local IT servers. The token is protected by encryption and can be recovered by decryption when it is needed.

The third type of tokenization involves the creation of a token on local IT servers, but does not allow for the recovery of the original value.

If you do not need to store sensitive data in your database systems, tokenization can greatly reduce your risk of data loss. The original sensitive data can still be used to query a database or locate information in a business application. But by not storing the sensitive data, you will not be at risk of losing it.

It is important to note that if you use recoverable tokens you will still have the risk of data loss and will not be protected from any liability for a loss. You will also still be subject to all of the regulations  for protecting sensitive information.

Tokenization can be a powerful way to minimize risk in your development, QA, and UAT environments. When moving data to these environments you should always eliminate sensitive data to prevent its loss. Tokenization is an excellent way to do this.

Lastly, if you are a payment systems vendor you may wish to provide tokenization as a value added service to your merchant customers. Not only will you be helping them minimize their exposure to data loss, this can also be marketed as a competitive advantage for your business.

If you would like to learn more about tokenization, we recently presented a webinar titled "Tokenization & Compliance: 5 Ways to Reduce Costs and Increase Security."