Yanez: Making the decision between tokenization and encryption was hard. At first encryption seemed like the best, most obvious approach. But the deeper we dug into it, the more we decided we needed to go the other way. Encrypted data is PCI data and is therefore under the PCI scope. Tokens are not PCI data, so all systems we put tokens on are not in scope. It made network segmentation a lot easier.
CSO: Any configuration problems?
Yanez: Yes. We are primarily a Windows shop, so when we developed in-house software to support this, it wasn't a perfect match with the nuBridge software. But we've been able to work through it.
Sign up for CIO Asia eNewsletters.