= Subscriber content; or subscribe now to access all American Banker content.
Innovators 2010

A New Breach Shield

FIRM: Voltage Security

PRESIDENT & CEO: Sathvik Krishnamurthy

PRODUCT: End-to-end encryption

SAVE THE FORMAT: Format preserving encryption


As the amount Heartland Payment Systems has had to pay out to banks and other stakeholders as a result of its infamous breach passes the $100 million mark and organized bands of criminals appear unceasing in their large and small-scale breaches of the payments networks, a new report from Mercator Advisory Group sets the average cost of a data breach at $6.65 million. As Steve Elefant, the CIO at Heartland Payment Systems Inc, says, "The bad guys never sleep."

To fight this data feeding frenzy Voltage Security Inc. developed identity-based and format-preserving technology that provide end-to-end encryption capabilities by encrypting consumer card data from the moment the card is swiped used until the data is handed off to the issuer.

"The increasing sophistication of these attacks is quite high," says Wasim Ahmad, vice president of marketing at Palo Alto-based Voltage, "so we want to protect card data from the moment it's acquired and encrypt it the whole way through."

To do this Voltage uses what it calls format-preserving encryption (FPE) and identity-based encryption (IBE). FPE converts a 16-digit credit card number into another 16-digit number thereby allowing it to fit smoothly into current database formats. IBE sets rules for who can open encrypted information. It uses a key-management approach to transmit cardholder data to the multiple parties involved in a transaction without repeated encryption and decryption.

This format "makes the programming vastly simplified," says George Peabody, the director of the emerging technologies advisory service at Mercator Advisory Group, and it "makes encryption easier to deploy across an organization" while impacting merchants and processing systems the least.

Voltage's IBE lets customers change their encryption keys frequently without ringing up hefty charges for taking out devices and changing them manually or injecting a new key remotely. It hits the daily double for users by removing costs for changing the encryption key and limiting security exposure to smaller, single batches of data.

In the past, changing encryption key pairs could be an expensive process that required physically sending devices to a secure location or (even more costly) changing the keys by a remote process called remote key injection. The re-setting expense and additional data management headaches led many users to maintain the same encryption keys for months which made them more vulnerable to attack and it built up large batches of data which enticed theft attacks. Voltage's IBE technology removes that key change cost barrier so the encryption keys can be changed easily and frequently. Doing this makes data batches as small as a single day's worth and thereby limiting exposure.

The Voltage encryption technology is "pretty revolutionary," says Heartland's Steve Elefant. Heartland, the fifth-largest payments processor in the US, handles more than 4.2 billion transactions a year and it counts on Voltage's innovative encryption schemes.

"IBE generates keys and pushes them up to hosts so we can change [the keys] daily which eliminates the need to have large, stored databases" Elefant explains. "Our architecture is based on layers of security-we're trying to get as close as we can to silver-bullet protection," Elefant says, and Voltage's offerings "are at the foundation of what we're building."