Visa's PCI-DSS gives very specific guidelines about how card data is to be handled if it is to be stored in an “at-rest” state. PCI-DSS compliance in an enterprise computing landscape can be difficult due to the requirements around encryption. The XiSecure product was created to address these difficulties, and it does so by creating a centralized location where data can be stored in a way that complies with PCI-DSS. XiSecure also potentially removes PCI-DSS requirements from some systems since sensitive data is replaced with a token that can be passed between the various enterprise systems.
New integration methodologies such as the “Enterprise Service Bus” or ESB are a new challenge to overcoming the PCI-DSS requirements on systems. Using an ESB, messages are exchanged between services by using a database to persist messages on the “bus”. This generally means that messages incoming from external sources, such as a web-based e-commerce system, are persisted directly to disk upon entering the service bus. This persisted data often contains sensitive information such as credit card numbers; sensitive data such as card numbers should never be persisted to disk unless they are first encrypted according to the PCI-DSS.
The merits of interpreting this “no persistence unless encrypted” literally can be debated. While it does seem obvious that persisting unencrypted data to the database should be avoided, the ESB uses the database more as an inter-process communication conduit rather than a place to store and retrieve organized data. Certainly, if interpreted literally, modern operating systems that implement virtual memory (where a running program's memory can be written to disk by the operating system without the program's knowledge) would be impossible to comply with the PCI-DSS. Regardless of lack of technical specifics that is typical of the PCI-DSS, the interpretation tends to be strict when involving the ESB due to the involvement of writing data into a database.
Therefore, there is a need for a Secure Web Encryption Accelerator (XWEA) that is designed with this strict interpretation of the storage of sensitive data in the database.