Thu, Jun
3 New Articles

nuBridges: Tokenization Offers More than Technical Benefits

Compliance / Privacy
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

The company that offered the first tokenization-in-a-box solution pushes for industry standards for an emerging technology.


Security is becoming more complicated with the increased oversight of industry and government, and with this complexity companies are seeing significant additional costs—tens, or even hundreds of thousands of dollars in auditing costs alone, not to mention new security system solutions and the personnel to set up and maintain them.


While the IT industry is becoming sophisticated about encryption and key management, many smaller companies are wary of jumping into encryption because of the additional effort and risks involved. If you don't guard your keys, it's as if you never encrypted your data; if you lose your keys, you have essentially erased your data. IT administrators have to wonder when they dive into this area, am I being paid enough to assume this added responsibility?


Nevertheless, for companies that accept credit cards, the Payment Card Industry Data Security Standard (PCI DSS) requires that if you store credit card numbers, you must encrypt them. The rule is quite explicit. However, following such rules isn't always as easy as it sounds. Encrypting credit card or social security numbers can take up more space in a database, and encrypted information may now not fit the original field size.


Humans being what they are, people have sometimes tried to cut corners or have simply overlooked gaps in their security. Enter the auditors, whose job it is to certify that companies handling personal information are doing it in a manner that is responsible and secure. Of course, auditors don't work for free; they don't even work cheap. Auditors cost a lot of money, honey, and the longer they hang around your shop, the more they're going to bill. If yours is a distributed organization, and you've got credit card information stashed all over the place, the auditor is going to want to check every system where that data is stored. Cha-ching! That means more money for every whistle stop along the tracks.


How the heck can we reduce the costs of these pricey audits? One answer is by using tokens. The reason is that, when you substitute tokens for, say, credit card numbers on individual systems, you have reduced the number of places where you are actually storing secure data. The credit card numbers are stored in a single vault. The many servers out there in the hinterland are storing meaningless tokens. Servers storing only tokens are not storing secure data because tokens have no value. If a server is not storing secure data, it is no longer within the scope of the auditor! Now your audit is going to take less time, and therefore it's going to cost less to complete. Suddenly, the value of tokenization in an encryption scenario takes on monetary significance, particularly for larger, distributed organizations.


"The biggest benefit in tokenization is reducing exposure to that yearly audit," says John Pescatore, vice president and distinguished analyst at Gartner. "If you think of a scenario where a company stores the credit card number in four different servers, or four different applications, the first thing the Payment Card Industry standards say is, if you're going to store card data, you have to encrypt it. Anywhere you do store that card data is subject to the yearly audit and has to meet the 240-odd requirements of the DSS [Data Security Standard]."


Pescatore says that tokenization is not necessarily a complete solution to the challenges of encryption, but it has great appeal in certain situations. The tokens can match the original data size in the database, and tokenization can reduce the scope of audits, important particularly where audits are proving costly.


"If you tokenize, you're now storing the security data in one place, and [in] those other four places, there is just this token value; the servers storing the tokens are not within the scope of the audit," he says. This has resulted in savings of hundreds of thousands of dollars to early adopters, according to nuBridges, one of the first proponents of commercialized tokenization solutions.


nuBridges was not the first to use tokens in lieu of encrypted data, but, says Gary Palgon, vice president of product management at nuBridges, "We were the first ones a year ago to introduce the only commercial, off-the-shelf solution for an enterprise." Since then, several other companies have come up with boxed solutions, and the industry is emerging along different lines. Not only are vendors introducing tokenization solutions, but companies are attempting to build their own token solutions in-house. With an increasing number of artists, the canvas is starting to get a bit muddy in the minds of some.


Notes Pescatore, a set of standards says how to test encryption and how to do it right. Tokenization does not have such standards yet. There is nothing against which to compare it in order to ensure it's done correctly, he says. The lack of standards is becoming the source of questions from companies that might otherwise benefit from tokenization, and the absence of standards may be actually creating security issues where implementation is not being done well, according to Palgon.


"In one example that we see all the time," says Palgon, "the way they generate tokens is that they add one [digit]. So the first one is 1, the second one is 2, and the next one is 3. That's OK except in the case…of the healthcare industry…they're actually creating credit cards one after the other, generating the numbers for your health services account…. If they're sequential, then you could probably figure out what the pattern is for the token, and therefore, if you get one match from a token to a credit card, you could figure out what all of the following credit cards are."


The solution to these types of issues and to the myriad questions companies have about the utility and security of tokens is to devise industry standards around tokenization. Palgon believes that there is a need to create tokenization standards similar to the industry standards that exist for encryption, which most people now accept at face value. The problem is there are no standards as of yet and no formal organization working on them. Meanwhile, independent companies are starting to devise their own unique ways of implementing tokens, some of them better than others. Even if all solutions were secure, a variety of proprietary standards makes the move to tokenization unwelcome to larger companies that may not want to get locked in to a single vendor's way of doing things for fear they might want to switch vendors down the road.


To address the lack of standards in the tokenization arena, nuBridges is proposing a Tokenization Standards Organization and is actively contacting all the vendors in the field to encourage them to consider coming together to develop a set of universally acceptable specifications on tokenization. At the recent RSA Conference 2010 in San Francisco last March, nuBridges announced it would support an industry-wide tokenization data security model. So far, response has been good, says Palgon, and the company is devoting a significant amount of effort to bring vendors together that heretofore have perceived each other as competitors.


The company also has introduced a tokenization partnership program in which third parties—such as point-of-sale vendors and loss prevention managers—sign up to have nuBridges educate them and help them upgrade any existing applications they may be running currently. "We're doing education to third parties and giving them a sandbox where they can create tokens and test their application," says Palgon.


While tokenization is not the answer to all encryption issues—you can't tokenize a scanned document with credit card information on it—it clearly is an emerging trend in the field of encryption and one that undoubtedly will mature in the coming year. Not only are there technical benefits, but the financial payback from reducing the scope of expensive audits makes it a path that IT will surely be following as time and resources permit.


For those who would like more information about tokenization or would like to participate in nuBridges Tokenization Standards Group, they can click here, call the company at 866.830.3600, or check out the You Tube video explaining what tokenization is.


Chris Smith

Chris Smith was the Senior News Editor at MC Press Online from 2007 to 2012 and was responsible for the news content on the company's Web site. Chris has been writing about the IBM midrange industry since 1992 when he signed on with Duke Communications as West Coast Editor of News 3X/400. With a bachelor's from the University of California at Berkeley, where he majored in English and minored in Journalism, and a master's in Journalism from the University of Colorado, Boulder, Chris later studied computer programming and AS/400 operations at Long Beach City College. An award-winning writer with two Maggie Awards, four business books, and a collection of poetry to his credit, Chris began his newspaper career as a reporter in northern California, later worked as night city editor for the Rocky Mountain News in Denver, and went on to edit a national cable television trade magazine. He was Communications Manager for McDonnell Douglas Corp. in Long Beach, Calif., before it merged with Boeing, and oversaw implementation of the company's first IBM desktop publishing system there. An editor for MC Press Online since 2007, Chris has authored some 300 articles on a broad range of topics surrounding the IBM midrange platform that have appeared in the company's eight industry-leading newsletters. He can be reached at This email address is being protected from spambots. You need JavaScript enabled to view it..



Support MC Press Online

$0.00 Raised:

Book Reviews

Resource Center

  • SB Profound WC 5536 Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application. You can find Part 1 here. In Part 2 of our free Node.js Webinar Series, Brian May teaches you the different tooling options available for writing code, debugging, and using Git for version control. Brian will briefly discuss the different tools available, and demonstrate his preferred setup for Node development on IBM i or any platform. Attend this webinar to learn:

  • SB Profound WP 5539More than ever, there is a demand for IT to deliver innovation. Your IBM i has been an essential part of your business operations for years. However, your organization may struggle to maintain the current system and implement new projects. The thousands of customers we've worked with and surveyed state that expectations regarding the digital footprint and vision of the company are not aligned with the current IT environment.

  • SB HelpSystems ROBOT Generic IBM announced the E1080 servers using the latest Power10 processor in September 2021. The most powerful processor from IBM to date, Power10 is designed to handle the demands of doing business in today’s high-tech atmosphere, including running cloud applications, supporting big data, and managing AI workloads. But what does Power10 mean for your data center? In this recorded webinar, IBMers Dan Sundt and Dylan Boday join IBM Power Champion Tom Huntington for a discussion on why Power10 technology is the right strategic investment if you run IBM i, AIX, or Linux. In this action-packed hour, Tom will share trends from the IBM i and AIX user communities while Dan and Dylan dive into the tech specs for key hardware, including:

  • Magic MarkTRY the one package that solves all your document design and printing challenges on all your platforms. Produce bar code labels, electronic forms, ad hoc reports, and RFID tags – without programming! MarkMagic is the only document design and print solution that combines report writing, WYSIWYG label and forms design, and conditional printing in one integrated product. Make sure your data survives when catastrophe hits. Request your trial now!  Request Now.

  • SB HelpSystems ROBOT GenericForms of ransomware has been around for over 30 years, and with more and more organizations suffering attacks each year, it continues to endure. What has made ransomware such a durable threat and what is the best way to combat it? In order to prevent ransomware, organizations must first understand how it works.

  • SB HelpSystems ROBOT GenericIT security is a top priority for businesses around the world, but most IBM i pros don’t know where to begin—and most cybersecurity experts don’t know IBM i. In this session, Robin Tatam explores the business impact of lax IBM i security, the top vulnerabilities putting IBM i at risk, and the steps you can take to protect your organization. If you’re looking to avoid unexpected downtime or corrupted data, you don’t want to miss this session.

  • SB HelpSystems ROBOT GenericCan you trust all of your users all of the time? A typical end user receives 16 malicious emails each month, but only 17 percent of these phishing campaigns are reported to IT. Once an attack is underway, most organizations won’t discover the breach until six months later. A staggering amount of damage can occur in that time. Despite these risks, 93 percent of organizations are leaving their IBM i systems vulnerable to cybercrime. In this on-demand webinar, IBM i security experts Robin Tatam and Sandi Moore will reveal:

  • FORTRA Disaster protection is vital to every business. Yet, it often consists of patched together procedures that are prone to error. From automatic backups to data encryption to media management, Robot automates the routine (yet often complex) tasks of iSeries backup and recovery, saving you time and money and making the process safer and more reliable. Automate your backups with the Robot Backup and Recovery Solution. Key features include:

  • FORTRAManaging messages on your IBM i can be more than a full-time job if you have to do it manually. Messages need a response and resources must be monitored—often over multiple systems and across platforms. How can you be sure you won’t miss important system events? Automate your message center with the Robot Message Management Solution. Key features include:

  • FORTRAThe thought of printing, distributing, and storing iSeries reports manually may reduce you to tears. Paper and labor costs associated with report generation can spiral out of control. Mountains of paper threaten to swamp your files. Robot automates report bursting, distribution, bundling, and archiving, and offers secure, selective online report viewing. Manage your reports with the Robot Report Management Solution. Key features include:

  • FORTRAFor over 30 years, Robot has been a leader in systems management for IBM i. With batch job creation and scheduling at its core, the Robot Job Scheduling Solution reduces the opportunity for human error and helps you maintain service levels, automating even the biggest, most complex runbooks. Manage your job schedule with the Robot Job Scheduling Solution. Key features include:

  • LANSA Business users want new applications now. Market and regulatory pressures require faster application updates and delivery into production. Your IBM i developers may be approaching retirement, and you see no sure way to fill their positions with experienced developers. In addition, you may be caught between maintaining your existing applications and the uncertainty of moving to something new.

  • LANSAWhen it comes to creating your business applications, there are hundreds of coding platforms and programming languages to choose from. These options range from very complex traditional programming languages to Low-Code platforms where sometimes no traditional coding experience is needed. Download our whitepaper, The Power of Writing Code in a Low-Code Solution, and:

  • LANSASupply Chain is becoming increasingly complex and unpredictable. From raw materials for manufacturing to food supply chains, the journey from source to production to delivery to consumers is marred with inefficiencies, manual processes, shortages, recalls, counterfeits, and scandals. In this webinar, we discuss how:

  • The MC Resource Centers bring you the widest selection of white papers, trial software, and on-demand webcasts for you to choose from. >> Review the list of White Papers, Trial Software or On-Demand Webcast at the MC Press Resource Center. >> Add the items to yru Cart and complet he checkout process and submit

  • Profound Logic Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application.

  • SB Profound WC 5536Join us for this hour-long webcast that will explore:

  • Fortra IT managers hoping to find new IBM i talent are discovering that the pool of experienced RPG programmers and operators or administrators with intimate knowledge of the operating system and the applications that run on it is small. This begs the question: How will you manage the platform that supports such a big part of your business? This guide offers strategies and software suggestions to help you plan IT staffing and resources and smooth the transition after your AS/400 talent retires. Read on to learn: