Fashion retailer Debenhams has recently completed a project to protect credit card information that has brought it close to full compliance with the Payment Card Industry Data Security Standard (PCI DSS).
We went through several weeks of tokenisation without taking the data warehouse offline at any point. We have 100 million records tokenised now, which was quite a huge process.
Technical Architecture ControllerDebenhams
Using a combination of encryption and tokenisation, the store group has managed to reduce and take out of scope the handling of card data for compliance purposes, and has therefore greatly simplified the process of becoming compliant.
A further benefit is that no existing applications have had to be changed, and operation of the company's giant data warehouse has not been disrupted at any stage.
Debenhams is a familiar name on the high street, with 159 stores across the UK and Ireland, plus an online store and a telephone call centre. As a well established company, it has a range of legacy systems and a large data warehouse holding millions of records, many of which contain card information.
For Aqil Nasser, Debenhams' technical architecture controller, bringing all those systems into compliance could have been a monumental task. "Our aim was to reduce the amount of time we keep the credit card information in the first place and mask as much of the information as possible," Nasser said. "If we'd not been able to do tokenisation, we'd have had to encrypt, which would have placed an additional cost on our infrastructure, as this would have entailed an increase in the size of our [database] columns and tables to accommodate encryption as well. Tokenisation has been a very smart, simple and cost-effective solution."
At the heart of the system is the nuBridges Protect product from nuBridges Inc., chosen partly because it was one of the few products that would run natively on Debenhams IBM AS/400 system [now known as iSeries or System i] which handles its payments. It provides a combination of file encryption, tokenisation and key management for the handling of card data once it reaches the Debenhams data centre.
The company chose not to extend tokenisation to the stores because that would have required a transmission back to the data centre for every credit card transaction at the till point. Instead, when a customer presents his or her credit card in a Debenhams store, the card data is encrypted immediately by the till program on the point-of-sale (POS) device. The encrypted data is stored on the PCI-compliant POS server in the store, and then transmitted, encrypted, to the data centre. The process falls short of true end-to-end encryption, as the card data is re-encrypted by the nuBridges software at the data centre.
From there the nuBridges software substitutes the credit card number with a token, normally taking the first six digits of the card itself and then adding a unique identifier. From that point it flows through the rest of the systems as a token, but, being the same length as a credit card number, it requires no change to any applications.
Nasser explains: "At the end of each trading day, we produce our sales extract file with the card data already encrypted. We then send that file to the data centre, where the nuBridges libraries can read the encrypted file. As we read it, we tokenise the card data." Once the card data is tokenised, then it can be stored with transaction information in the company's huge data warehouse.
The warehouse, which had existed before the PCI DSS programme, also had to be tackled as part of the exercise.
Only by replacing all the credit card information held in the data warehouse with tokens could the company take the warehouse out of scope for compliance. And that had to be done without disrupting the everyday operation of the business.
"We went through several weeks of tokenisation without taking the data warehouse offline at any point," said Nasser. "We have 100 million records tokenised now, which was quite a huge process."
All that remains now for the company to do, he says, is to overhaul a few legacy applications that run on old operating systems that can no longer be patched.
"We're looking to be compliant next year, and are very happy with the progress we've made so far," he says. If Debenhams does achieve PCI compliance in the UK, it will become one of the few high street store retailers to have managed it so far.
Return to the PCI learning guide.