1. Field of the Invention
The present invention relates to the introduction, storage, and use of confidential information in corporate enterprise systems, and, more specifically but not exclusively, to the use of tokens as substitutes for confidential information in such systems.
2. Description of the Related Art
The payment-card industry (PCI), in response to the growing theft of payment-card data resulting from inadequate information technology security, has had an evolving set of security standards. Initially, the payment-application best-practices (PABP) guidelines promulgated by the industry required merchants to encrypt card numbers.
Limitations in the PABP guidelines resulted in the September, 2006 release of version 1.1 of the PCI Data-Security Standard (DSS) and the related PCI Security-Audit Procedures. These programs required more than mere encryption and mandated compliance in order to process payment-card transactions. Under these programs, merchants are required to document their compliance with the DSS, depending on their annual volumes. The largest merchants must undergo an on-site audit to verify merchant and processor compliance. Medium-sized and smaller merchants are permitted to complete a self-assessment, attesting that various security features and programs have been implemented.
According to the DSS standards, cardholder data is defined as any clear or encrypted primary account number (PAN). The DSS standards declare that any system that “processes, stores, or transmits” cardholder data, as well as any system on the same network segment (e.g., one of a plurality of subnetworks making up a corporate network), must comply with the requirements of the DSS standards.
Additionally, certain personally-identifiable information (PII) may also give rise to regulatory scrutiny, e.g., by federal law or the laws of individual states in the United States. The term PII refers to information that can be used to uniquely identify, contact, or locate a single person or can be used with other sources to uniquely identify a single individual. For example, in a 2007 memorandum from the Executive Office of the President, Office of Management and Budget (OMB), the U.S. Government defined PII information as: “Information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother's maiden name, etc.”
Similarly, in the European Union, Article 2a of EU directive 95/46/EC defines “personal data” as meaning “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.”
Likewise, “personal information” is defined in a section of the California data breach notification law, SB1386, as meaning “an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: (1) social security number; (2) driver's license number or California Identification Card number; (3) account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.”
Compliance with DSS standards and other regulatory requirements of various jurisdictions typically requires that all computer systems involved in the processing of unencrypted sensitive data, such as PCI and PII data, and possibly including an entire corporate data center, be compliant with such standards and requirements. The cost of compliance, as well as the cost of verifying compliance, can be substantial, both operationally and financially.