What are you compensating for?

In the age of electronic payments, chances are you have received a letter like this:

OPEN LETTER TO OUR CUSTOMERS

June 1, 2009

Dear valued customer:

Our company values your business and respects the privacy of your information, which is why we wish to inform you that between November 2008 and May 2009, the computer systems of our business in the U.S. and Canada were accessed without authorization. This unauthorized access was in violation of both civil and criminal laws. Our company has been coordinating with federal law enforcement to assist in the investigation of this incident. While the number of potentially affected outlets involved in this incident is limited, the data accessed may have included personal information such as the name printed on a customer’s credit card or debit card, a credit or debit card number, and/or a card expiration date.


We recommend that you review your account statements and credit reports closely. To the extent that there is any suspected unauthorized card activity, it should be reported to the bank that issued your credit card, as well as to proper law enforcement authorities, your state attorney general’s office, or the Federal Trade Commission. Please also visit our website at www.company.com  for instructions on how to receive free credit monitoring for one year.

Our company values customer privacy and deeply regrets that this incident occurred. Working with law enforcement and forensic investigators, Company is conducting a thorough review of the potentially affected computer systems and has implemented additional security measures designed to prevent a recurrence of such an attack and to protect the privacy of Company’s valued customers. The company also is working closely with major credit card suppliers and law enforcement to ensure that the incident is properly addressed.

For further assistance regarding this incident, please visit Company at www.company.com or call (800) 555-8001 between 7 a.m. and 11 p.m. CST daily. Company is focused on delivering customer satisfaction and value for our customers and is committed to doing everything we can to resolve this issue expediently and thoroughly to reinforce your confidence.

Sincerely,
Jane Doe
Executive Vice President & Chief Operating Officer
Company

After reading this letter, you might feel a wave of panic, wonder whether you check online for suspicious transactions or have your card reissued, wonder whether you should trust the company, or ask why your credit card data is so easily accessible.

These are all logical questions, and even with strict security standards in place, consumers are still often left with less than assuring answers. It’s time to address the problem.

There’s a new (well, not really new) sheriff in town

The Payment Card Industry Security Standards Council (PCI SSC) was formed by Visa, MasterCard, AmEx, Discover and JCB. These companies aligned their individual policies and released the Payment Card Industry Data Security Standard (PCI DSS) in December 2004.  Although many companies view the PCI SSC as a heavy-handed bureaucracy and a means for the card associations to boost profits with fines and penalties, the result has been that companies have made information security a strategic part of their business.

One thing is clear about PCI DSS: There will never be a final version of the standard. The need will always exist to adapt to evolving technology; payment channels; and the primary reason PCI exists in the first place, criminals.

At its core, the PCI DSS deals with data security and encryption. The requirement specifically written for stored cardholder information is Requirement 3.4, which states that businesses shall render primary account number (PAN) unreadable anywhere it is stored using any of several approaches, including one-way hashes based on strong cryptography, truncation, index tokens and securely stored pads, and strong cryptography with associated key-management processes and procedures.

When the initial PCI DSS requirements were published, they primarily provided a framework, and most applications were unable to implement data-at-rest encryption technology without major design and development efforts. Not only was there limited availability of commercial off-the-shelf software, but the only available technology was expensive to implement. Most businesses addressed the problem of data at rest with compensating controls. According to the PCI Council, “Compensating controls may be considered for most PCI DSS requirements when an entity cannot meet a requirement explicitly as stated, due to legitimate technical or documented business constraints, but has sufficiently mitigated the risk associated with the requirement through implementation of other, or compensating, controls.” For Requirement 3.4, compensating controls are focused on limiting access to the data. This could be in the form of strong access controls, network-layer separations and application-level security, to name a few. However, the design and verification process for these controls can prove to be extremely costly and certainly are not without their challenges.

Moreover, are compensating controls sufficient?

Fear and loathing

Although many publicized intrusions and thefts have occurred in the past few years, they are by no means a new phenomenon in the payments marketplace. One well-publicized debit card theft occurred long before PCI DSS existed, in 1989 (http://massis.lcs.mit.edu/archives/security-fraud/atm-bank.fraud). A well-respected payments application provider placed a consultant onsite at a large financial institution for a long-term contract. While onsite, the consultant obtained the security credentials needed to copy all of the PIN verification information, as well as the card database. The consultant also obtained a card-encoding machine, which he used to create ATM cards.

The plan was for the consultant to create counterfeit debit cards and, along with a few accomplices, make cash withdrawals at various ATMs around the southwestern United States. The plan was thwarted when one of the accomplices tried to recruit a friend to join the group, and that friend notified authorities, who estimated that the theft could have resulted in up to $14 million of losses. That would have been quite a few $20 bills to haul and launder!

This particular crime was considered high tech for the time and illustrated that internal attacks are equally as threatening as external attacks. It also demonstrated that these crimes typically involve highly educated and clever individuals.

Just consider some of the recent highly publicized incidents (company names have been removed):

“A data breach at a payments processing firm has potentially compromised credit and debit card information from all of the major card brands,” CNNMoney, April 2, 2012

“Experts say Company either failed to encrypt or truncate credit card numbers or did not secure encryption keys,” Network World, March 29, 2007

“Hackers breach Payment  Credit Card System,” USA Today, January 23, 2009

You get the picture, and it isn’t pretty. The fallout from these events can cause businesses to suffer by way of damage to brand and/or reputation; costs associated with investigation, remediation and victim notification; financial loss; fines and fees (noncompliance, reissuance, fraud loss); chargebacks for fraudulent transactions; disruption in operations; sensitive information disclosure; potential closure of the business; and potential legal liabilities beyond the association rules.

As consumers, we consider our credit/debit cards very personal items (or at least we should), and we expect our personal, card and account information to be protected from attacks.

What the Pundits Are Saying

“The overall cost of targeted attacks to organizations worldwide is $1.29 billion annually.” — Cisco, “2011 Global Threat Report”

“The costs associated with being PCI compliant are estimated at $1.7 million annually.” — Gartner, “Retail Security & Compliance Survey 2011”

What to do, what to do?

With all of the information available about information security and PCI DSS, one would think that every business that processes cardholder data is either planning to implement or already has implemented encryption strategies that protect PAN data not only to reduce the possibility of this data falling into the hands of the bad guys but also to reduce the scope and effort of the PCI compliance audit.

Many organizations now consider PCI DSS requirements a long-term business strategy rather than an annual checklist exercise. By analyzing, architecting and implementing new business processes, organizations can adapt quickly to changes to PCI requirements, as well as design new applications and platforms that conform to the policies that have been put in place. This allows even the largest organizations to roll out new products and services knowing that their storage of cardholder information complies with internal and external data security policies.

By analyzing the complete life cycle of a cardholder transaction, payment processors can pinpoint the applications that use PAN data and decide whether the processing requires clear data or can use an encrypted form. From this analysis, plans can be made to phase in protection across all the platforms that store PAN information. Some of the typical applications and platforms that store PAN data include transaction processing systems; settlement, chargeback and clearing systems; business intelligence systems; data warehouses or marts; call centers, card issuing systems; and archives.

Tokenization, Encryption or a little of both

Advances in computing processing power and encryption technology have given payments processors options on how to tackle the conundrum of protecting the PAN. The two most popular are tokenization and encryption.

Both technologies are accepted methods of protection by PCI SSC and the Qualified Security Assessors (QSAs) that administer the compliance of businesses processing payments.

Tokenization

Tokenization essentially replaces PAN data with nonsensitive data that can be used as a reference to the PAN. Tokens are designed to maintain the same format of the original data and may be used by some applications and viewed by users. The original PAN is typically required for transaction processing, particularly by the issuing bank, to authorize the transaction (PIN verification, dispute processing, call centers, etc.).

Implementing tokenization typically requires a dedicated token server (or vault) that maps the original PAN data to its associated token. (The original PAN data in the vault must also be encrypted.) This server must be designed to be highly available, as every application that participates in the token implementation may need to access the server. Some critics point to this single point of failure as one of the disadvantages of tokenization, whether the failure is in the hardware or software, or through a security breach where credentials are stolen and criminals could access the entire vault database.

Encryption

Encryption is becoming a popular choice for protecting PAN data. New encryption technologies allow the format of the data to remain while offering the ability to offset into the PAN to encrypt a certain number of digits versus encrypting the entire PAN. This type of encryption is referred to as Format Preserving Encryption (FPE), and, along with stateless key management, it eliminates the requirement for a database of encrypted PANs or data vault.

Whether tokenization or encryption is deployed, a solution that has the ability to function cross-platform and across the enterprise will make the solution easier to design, implement and manage, particularly as encryption requirements expand. Deploying these technologies may require changes to the application to integrate encryption functionality into the core business processes.  There are solutions by XYPRO and other ISVs that integrate with applications using NonStop SQL and Enscribe databases, in some cases without modifying the source code. If modifying the source code is not acceptable, then intercept libraries are available from XYPRO and other ISVs to assist in protecting application data for companies using applications such as BASE24.

One approach that I have not mentioned here is volume-level encryption. Some would argue that this is the easiest method to address protecting the data, but many claim that applying strong encryption to binaries and nonsensitive data isn’t worth the added overhead and management. Moreover, VLE generally protects only the theft of a disk as all applications  and utilities will have access to the unencrypted data as the encrypt/decrypt processes are automatic as the volume level.

Res Ipsa Loquitor (the thing speaks for itself)

The Latin term “res ipsa loquitor” is typically used in legal speak (readers of Hunter S. Thompson certainly recognize it) and refers to a doctrine of law “that one is presumed to be negligent if he/she/it had exclusive control of whatever caused the injury even though there is no specific evidence of an act of negligence, and without negligence the accident would not have happened” (www.law.com).  (Don’t you just love legal speak!) If any executive were accused of negligence in a major breach of cardholder data, he/she would have sworn that PCI standards were being followed and everything was protected.

I believe that in the near future compensating controls for protecting personal information will no longer be an accepted practice by the PCI SSC. Either driven by the card associations, consumer groups, banks or by the federal government (please not the Feds), I think we’ll soon see litigation that will require personal information to be secured via cryptography.

Although security and intrusion detection technology continue to evolve and improve, there are many highly skilled, tech-savvy people worldwide who have at their fingertips the hardware and software resources to keep in pace with or one step ahead of commercially available security products.

Enterprise-wide encryption of cardholder information should no longer be an option but a mandate of every electronic payments business. The technology is available, and reputable partners are prepared to help businesses design and deploy enterprise data protection solutions.

Through the work of the PCI SSC, the guidelines and recommendations have been made clear and, for the most part, complied with. The fact that cardholder data at rest is still stored in the clear on many systems remains a gaping hole, but it can be addressed with commercial products available on the market. Whether it is tokenization or encryption or a combination of both, the time has come to embrace the technology. As consumers, we should demand it; as an IT person, it’s a challenging project; as a business, what are you compensating for?

James Knudsen
XYPRO Technology Corporation

www.xypro.com

The OSS Security You’ve Been Waiting For

XYGATE Object Security and the OSS Security Event Exit Process (SEEP)

With the upcoming February RVU of the NonStop OS (H06.26/J06.15), HP will introduce support for a Security Event Exit Process (SEEP) within the OSS subsystem.  This is a capability that has been anticipated for quite some time, as it allows third-party solutions to participate in the authorization decision when file access requests are made.  It works similarly to the Safeguard Authorization SEEP that XYPRO and others take advantage of to enhance and add to Guardian file security.

It is worth noting that the OSS SEEP does not use Safeguard.  It is invoked via the OSS Name Server, and configured via SCF.

This article is intended to highlight some of the benefits of the new XYGATE XOS OSS Add-on module.   Beginning March 2013, (the XYGATE Object Security (XOS) product can now be licensed to provide previously unavailable, flexible exceptionally granular security for NonStop OSS users.  This article was also triggered, in part, by recent discussions on LinkedIn about perceived security limitations on the HP NonStop server, so where appropriate, reference will be made to that discussion.

NonStop users have been taking advantage of the capabilities that XOS provides in Guardian for many years.  In general XOS, through its advanced wildcarding and regular expression support, allows for a hugely increased amount of granularity and flexibility, when compared with standard Safeguard ACLs.  One XOS user (a leading credit card company) was able to reduce their list of Safeguard ACLs from over one million to approximately 300 with XOS, based on this additional flexibility.  Yes, one million to three hundred.

XOS is also simple to use, with a GUI interface assisting with the creation and maintenance of the simple user and object policy rules which govern your security implementation.

With the new OSS SEEP from HP, XOS now has a new OSS module to provide the same levels of usability, granularity and flexibility that has been available to secure the Guardian filesystem for some time.  Although NonStop provides two Authorization SEEPs (one for Guardian and one for OSS), the same XOS configuration will rule on Guardian and OSS access requests, and is configured in the same way that users have come to rely on.

XOS with the OSS SEEP includes the following features:
- Every type of OSS operation against every OSS object can be restricted, allowed, and/or audited.
- OSS SEEP rulings are applied at the fileset level.  Specific filesets can be included or excluded.
- Guardian and OSS object security can be maintained together in a single file.
- OSS rules can be applied by user function.  When users and aliases are grouped by function, manipulation becomes a single operation. This can allow for a significant reduction in the number of ACLs.
- OSS rules can be written for specific users or custom user groups, including Safeguard ALIAS and network users.
- OSS objects do not have to exist for a rule to be set up, allowing for dynamic security rules that apply automatically when object are created.
- OSS objects can be controlled by object name, requesting object, the user or group of users requesting the operation, and/or by OSS operation type.  For example, you can restrict who can create or view certain OSS directories, even if they don't already exist.
- OSS operation restrictions or allowances can be set to warning mode for specific users, groups of users, or rules, allowing access to be granted while auditing what the ruling would have been.
- OSS operation restrictions or allowances can be tested in a "what if" mode to verify the outcome before putting a rule into production.
- OSS ruling processes (Security Event Exit Processes) can be distributed across available NonStop CPUs.
- Auditing is very granular.  Access to objects can be audited for some users, but not for others.

These capabilities should go a long way to addressing the general concerns raised on LinkedIn recently that “OSS security isn’t as robust or as easy to maintain as Guardian” (to paraphrase).

Other issues raised include shortcomings of existing HP NonStop server audits – lack of IP addresses, difficulties in correlating events etc.  These issues are addressed with a combination of XYGATE User Authentication (XUA), which logs IP addresses at logon, XYGATE Access Control (XAC), which captures keystroke audits showing what a user did at any given time, and XYGATE Merged Audit (XMA) which filters all audit data and optionally sends it to a Security Incident Event Manager (SIEM) product like HP ArcSight, for correlation.

XUA can also be used to in an enterprise SSO solution, or with any LDAP server.  This applies to 100% of HP NonStop logons or authentication requests.

XYPRO also provides an extensive range of security configuration services offerings for your entire HP NonStop server environment, to ensure optimum security and compliance.

If you would like any further information about how the XYGATE product suite can help simplify and strengthen your HP NonStop server Guardian and/or OSS security, please contact your local XYPRO representative  https://www.xypro.com/xypro/contact or email me directly at andrew_p@xypro.com.


Andrew Price
Director, Product Management
Andrew_P@xypro.com

XYPRO Technology Corporation

XYPRO Wraps Up Another Fiscal Year With Record Growth!

XYPRO has achieved tremendous new business growth in Asia Pacific, Europe, and Latin America with its expanded presence in these regions, while continuing to maintain a steady growth within North America for an overall increase from both existing and new customers around the globe.

Despite many industry and economic challenges, XYPRO’s valued customers and partners have helped us keep the trend of year over year growth alive in 2012.  The trust and support of our customers in choosing XYGATE and XYPRO partner solutions for the security and management of their mission critical information assets reinforces that XYPRO is meeting and exceeding business and customer relationship objectives.

Much of our success has come from the efforts of XYPRO’s highly skilled and dedicated sales and technical teams and also from the hard work of HP and our unique & valued partnership with them. Many thanks go to all the individual and team determination and creativity of those involved.

2013 is promising to be another challenging yet rewarding year for XYPRO and we will continue to lead the way with new and improved innovative solutions for all your mission critical security needs.

Barry Forbes
VP of Sales & Marketing
XYPRO Technology Corporation
www.xypro.com

San Jose, CA: NonStop Technical Boot Camp – Oct 14 – 16 2012

XYPRO recently returned from the NonStop Technical Bootcamp, held at the Doubletree Hotel in San Jose, and it turned out to be a great event.  There were almost 200 attendees, of which approximately 60% were customers, with the remainder being HP staff and vendor partners like ourselves.  The San Jose location proved to be a major positive, with HP being willing and able to send a large number of technical resources to present, given we were “just down the road”.

As a result, the agenda was fairly well packed with strong technical content.  XYPRO sent some of our own internal resources for training/general knowledge purposes, and all came away feeling like it was time well spent.

The customer attendees were there to learn, and it was a great opportunity for us to provide information.  Our co-presentation with HP on XYGATE Merged Audit (XMA) explained how a large number of customers now have XMA as a result of its inclusion on the SUT, and how those customers can start to use it to help with compliance, integrate with HP Arcsight or other SIEM devices, and increase their system security in general.

The show opened with a bang, with a traditional Tandem “Beer Bust” in the Doubletree’s restaurant/bar, sponsored by XYPRO and Tributary Systems.  Jimmy Treybig, the CEO and one of the founders of Tandem Computers, joined in and many took the opportunity for a photo.  The following morning, Jimmy gave the keynote speech, which he terms a “love note” speech, given that it was mainly focused on the User community, and the value of groups like ITUG over the years.  An excellent, inspiring presentation, most of which was recorded and can be viewed here… (http://www.connect-community.org/blogpost/550209/153083/Jimmy-Treybig-s-Love-Note ).

The majority of the conference consisted of session tracks, focussed on various technical areas, and all were well attended.  The breaks were an opportunity for networking, and for users to consult with the large group of vendors that showed their support for the event by exhibiting and sponsoring.  An important point – the food was generally excellent, and received many positive comments!

At this stage it sounds like a similar event is in the pipeline for next year, at the same venue, so look out for that, and see you there! http://www.connect-community.org/?TBC2013

Strong Authentication. The Device Is The Key™

NetAuthority irrefutably identifies and authenticates connected devices.

In today’s world of mobility, cloud computing, virtual workforces, social networks, and online businesses, stronger authentication for identity and access management is more critical than ever. Security vulnerabilities are skyrocketing and malicious attacks are being unleashed in unprecedented numbers with increasing sophistication, resulting in massive information and economic losses.

Identity and Access Management has historically focused on the attributes of a person’s identity. User ID and passwords are still often the only form of authentication used by organizations.   Traditional forms of multi-factor authentication are not designed to address the explosive growth in internet-connected devices and online activity and are unable to meet the needs of scalability, ease of use, affordability, and mass-deployment that the online-connected world requires.

Today’s organizations are faced with the following challenges:

•  Knowing the devices that are connected to applications and networks without owning them
•  Knowing that the devices accessing the network are actually in the hands of authorized users
•  Implementing access authentication solutions that are secure, cost-effective, easy-to-use, and highly scalable
•  Implementing access authentication solutions that provide flexibility and multi-dimensional security that complements existing systems and infrastructure
•  Ensuring that regulatory compliance requirements and security best practices are addressed

NetAuthority’s Device Authentication Services addresses these issues and more through:

•  Irrefutable identification of the device via its Dynamic Device Key and links the user with the identified device, for strong authentication security.
•  Notifications and alerts providing organizations with immediate visibility to unauthorized users attempting to gain access, unauthorized devices, and more.  Organizations are now empowered to quarantine or even blacklist devices for greater security.
•  Flexible, mass-deployable, user transparent, and cost-effective strong authentication solution, unlike other “something I have” authentication methods.
•  Secure service API to interface with existing user management systems,monitoring systems,and log management solutions to leverage prior investment
•  SaaS-based service, so strong authentication can easily be implemented based on an organization’s assessment of risk and information assets.
•  Satisfying regulatory and best practices requirements for strong authentication and compliance.

NetAuthority’s Device Authentication Service provides strong authentication security with unprecedented control and visibility to both the Who and What is accessing online applications, accounts and information.

To learn more about our Device Authentication Service for strong authentication and compliance, please contact us at netauthority@xypro.com


Barry Forbes
VP of Sales & Marketing
XYPRO Technology Corporation

www.xypro.com

HP Discover 2012 – Whatever’s happening in Vegas, it’s NonStop!

I’ve just returned from HP’s biggest user event for the year, Discover 2012.  As we from the NonStop crowd have come to expect, this years’ conference was large and impressive – similar to what we’ve seen in previous years.  I for one was pleasantly surprised with the conference layout this year.  There’s no getting around the fact that, as a conference hosting towards 15,000 people, there’s going to be some significant distances (and crowds!) involved, but this year it seemed easier to find what you were looking for, with other things like registration and meals handled better than previously.  One standout improvement was the location of the NonStop partners – we had our own signposted area, co-located with the HP NonStop group, which meant much less traipsing back and forth to engage with our HP colleagues.

In terms of content, we saw some excellent keynote sessions.  Meg Whitman took the stage on Tuesday morning to outline her three-pronged corporate strategy, focussed on cloud, security and information optimisation (or big data management).  This in turn was layered over the 4 main areas of offering that HP provides – infrastructure, software, services and solutions.  All good stuff.  Meg went on to discuss a number of HP customer case studies, which (by my count) were all NonStop customers, perhaps bar one.  State Bank of India, a massive NonStop user in the card payments space, was one example, and as we all know, they’ve been happy NonStop users for many years.  It was great to see NonStop getting such prominence, even if it was implied – and this fact was referred to by other HP NED/BCS execs over the coming days.  Meg then introduced Jeffrey Katzenberg, from Dreamworks, who gave a very entertaining presentation, including live animals (!), and a sneak-peak of the upcoming Madagascar movie – some of the stats around production of a Dreamworks animated presentation are quite astounding.  The 2 ½ minute Madagascar promo that we saw took an amazing 6TB of storage.  Three seconds of animation can take a skilled animator a week to complete.  Each movie takes an average of 5 years to produce, and 3D is complicating things even further.  Of course, HP provides the infrastructure that underpins everything Dreamworks does, and this was refreshing to hear from such a creative environment where hardware components are often assumed to be of a different flavour.

Other notable sessions included the HP NonStop: The Platform for Continuous Business, presented by Ric Lewis and Randy Myer, which for most of us was our first chance to see Ric presenting on NonStop.  He came across as very aware of the value that NonStop brings to HP, and very understanding of the considerable legacy that a lot of us bring to the NonStop environment.  Everyone at the show seemed extremely upbeat about the enthusiastic way Ric has jumped into his role.  If you want to hear more from Ric and Randy, I would recommend this interview that they gave at the show: http://t.co/XGTj3Fq2 

Closer to home, Karen Copeland, NonStop Security Product Manager, presented a couple of times on NonStop security.  It’s always great to see what’s coming up in this critical area, and it’s even nicer when you see a few of your products forming an important part of the HP product roadmap.  As usual, Karen did an excellent job.

Another interview I’ve come across since the show completed is Rafal Los (Twitter: @Wh1t3Rabbit), Chief Security Evangelist at HP, interviewing HP NED Master Technologist Justin Simmonds – Raf is well known in security circles and Justin does a great job of bringing him up to speed on NonStop.  Take a listen at http://bit.ly/Ks8Cez.

Wednesday evening saw the hosting of the NonStop Community Reception, which was held thanks to the generosity of twenty-one NonStop vendors, at the Grand Lux Café.  This turned out to be a fantastic event, not just for catching up with old friends, but for making new ones as well, with many different vendors and NonStop users represented.  Indeed, we estimated there to be over 200 people there at the peak of the gathering – it got quite cozy in that relatively small room!  Still, a great night – thank you again to all the vendors who helped make it possible.

Things started winding down on Thursday, with many having just enough energy to checkout the entertainment for the week – Sheryl Crow and Don Henley.  Excellent food and cocktails were a welcome accompaniment to some fantastic music.

All in all, another excellent conference.  We look forward to the NonStop Technical Boot Camp that was just announced for San Jose Oct 14-16, and to doing it all again in Vegas next year!

Andrew Price

XYPRO Technology Corporation
HP NonStop Server Security
and Encryption Solutions

XYPRO Technology to Distribute Voltage SecureData Encryption Solution

Voltage’s FPE, Tokenization, and Masking solutions added to XYPRO’s comprehensive security offerings

XYPRO Technology Corporation, the market leader in HP NonStop server security, audit, compliance, and FIPS-validated encryption solutions, today announced that it would begin reselling the Voltage SecureData solution suite, to complement its existing NonStop security products.

Voltage SecureData is a comprehensive data-centric security solution, uniting end-to-end encryption, tokenization and data masking for the protection -- end-to-end – of sensitive information, including data subject to compliance, such as PCI DSS, and without impacting business process, work flow and applications. Leveraging patented technology and solution innovations, including Voltage Identity-Based Encryption™ (Voltage IBE™) and Voltage Format-Preserving Encryption™ (Voltage FPE™), Voltage SecureData is the most comprehensive data protection platform, securing data as it is captured, processed and stored across the variety of devices, operating systems, databases and applications. It is used by corporate enterprises, financial institutions, healthcare organizations, government agencies, utilities, retailers and service providers.

“XYPRO is extremely pleased to bring the Voltage SecureData solution to our customers,” said Andrew Price, director, Product Management at XYPRO. “As PCI, GLBA, Basel III, OCC, HIPAA, FISMA, FedRAMP, FERC, NERC and other compliance regulations continue to demand protection of sensitive data, our customers need a range of options for that protection. Voltage SecureData, with its support for Format-Preserving Encryption, tokenization and data masking is the most comprehensive enterprise-wide solution for end-to-end data encryption.”

"We are excited to add XYPRO to our list of global distributors. As the technology and market leader in data-centric security for the NonStop platform, this was a logical step for us, and we look forward to helping XYPRO customers meet their data security and compliance requirements,” said Jeremy Stieglitz, vice president of Business Development, Voltage Security.

About XYPRO
Founded in 1983, XYPRO Technology Corporation is the market leader in HP NonStop server security, audit, compliance assessment and FIPS-validated encryption solutions. XYPRO solutions meet the strict requirements of companies who manage, access and transport sensitive data using heterogeneous hardware platforms and multiple communications media. XYPRO helps mission critical businesses manage their security risks, protect assets and gain a competitive edge through compliance, while improving efficiency.
 www.xypro.com

About Voltage
Voltage Security®, Inc. is the world leader in providing data-centric encryption and key management solutions for combating new and emerging security threats. With innovative, powerful and easy-to-use encryption and tokenization solutions for protecting sensitive business data, Voltage customers are able to address privacy regulations and best practices from around the world. Voltage customers adopting data-centric encryption include some of the largest companies in the world across a wide variety of industries including payments, financial, insurance, medical, e-commerce and more. Voltage solutions include three groundbreaking encryption approaches: Identity-Based Encryption™ (IBE), Format-Preserving Encryption™ (FPE), and Page-Integrated Encryption™ (PIE). Voltage solutions have changed how enterprises protect their most valuable assets—their customer data. Offerings include Voltage SecureMail™, Voltage SecureData™, Voltage SecureData Payments™, Voltage SecureFile™, Voltage SecureData Web™ and Voltage Cloud Services™, which provides cloud scale encryption and key management for their businesses, partners and customers. The company has been issued several patents based upon breakthrough research in mathematics and cryptographic systems. To learn more about Voltage customers please visit voltage.com/customers.

###

Voltage Identity-Based Encryption, Voltage Format-Preserving Encryption, Page Integrated Encryption, Voltage SecureMail, Voltage SecureData, Voltage SecureData Payments, Voltage SecureData Web, Voltage SecureFile, and Voltage Cloud Services are trademarks of Voltage Security, Inc. All other trademarks are property of their respective owners.