FRAMINGHAM, 14 FEBRUARY 2011 - Florian Yanez, manager of technical systems for Helzberg Diamonds, is among those attending RSA Conference 2011. CSO recently caught up with him for a discussion on his company's efforts to adopt tokens as a way to address PCI DSS' rules on stored customer data.
CSO: Let's start with a general picture of your organization's main security priorities.
Yanez: Like everyone else, our biggest concern is protecting customer information and meeting the PCI DSS requirement -- particularly the parts about protecting stored data such as credit card and telephone numbers.
CSO: What are some of the basics in terms of the technology you've deployed to address that?
Yanez: We have a security event management system in place to capture all the logs in our data center. We get alerts if anything strange shows up. We also have a vulnerability management system in the works so we can scan for all the security patches we need on a regularly basis. We want to be as up to date on patching as possible.
You've also been in the process of implementing tokenization. What led to that focus?Yanez: For a little over a year we've been taking this route because tokenizing our data turned out to be the best way to address the concerns of PCI. We were originally looking for an encryption tool. We went with nuBridges as a vendor because they have an adapter tool for key management between us and our point-of-sale (POS) vendor.
Several years ago our POS vendor started adding encryption to their system. They built a key management utility with all the encryption and decryption functionality. But we realized encryption was also needed in all the back-end systems as well. To make it easier, we thought it best to use the same key for the POS vendor and back-end systems. Our POS vendor was already using nuBridge, so it made sense for us.
CSO: How far along are you in the project?
Yanez: We are not fully implemented yet. We're almost there. But when we're done we'll be in a much better position in terms of PCI. This will make the PCI scope much more manageable.
CSO: How so?
Yanez: We'll have less than 10 systems that we'll have to worry about under PCI DSS at the corporate office, which is a huge reduction. Before we started tokenization, we had to worry about 400 systems in the corporate office.
CSO: What have your implementation challenges been thus far?
Sign up for CIO Asia eNewsletters.