Data Breaches, State Laws Drive Encryption Business for Ingrian

Widespread publicity surrounding the huge data breach at CardSystems Solutions Inc., coupled with a movement among the states to require disclosure of data compromises, is driving business for companies specializing in data security. “Consumers are up in arms about enterprises not taking security seriously enough,” says Karim Toubba, vice president for product management at Ingrian Networks Inc., a Redwood City, Calif.-based provider of encryption solutions that serves transaction processors, banks, and merchants. The 5-year-old firm, which was called in by Atlanta-based CardSystems two weeks after its breach was detected, refuses to disclose financials, but Toubba says revenue is growing at better than 60% annualized. “Up to a few months ago, the state of processed data was pretty dismal in terms of security,” Toubba says. “There are [still] major concerns about the data. CardSystems almost went out of business, so [managers are] realizing that if I don't take this seriously, I put the entire business in jeopardy.” Ingrian, which currently has a roster of 46 clients, with 26 related to payments, is now talking to some 200 prospects, Toubba says. Its most recent recruit is Peppercoin Inc., a Waltham, Mass., processor of micropayments. California now requires companies that sustain a data compromise to disclose the breach if the data were unencrypted and the breach resulted in data theft. Already, Toubba adds, at least four other states, including New York, have enacted or are in the process of passing data-security or privacy laws. And the major card networks maintain data-security standards calling for fines and in some cases public disclosure of breaches. CardSystems, which is being acquired by San Francisco biometric payments processor Pay By Touch Solutions in a deal announced earlier this week (Digital Transactions News, Oct. 17), saw data on some 40 million card accounts?including card-verification values?exposed to intruders who hacked into its data center. The incident, the largest of its kind so far, came to light in May when it was announced by MasterCard International and generated a firestorm of publicity and penalties for the beleaguered processor, including decisions from Visa USA and American Express Co. to terminate its access to their networks. These decisions, which if carried out would shut down the company, may now be under consideration in the wake of the Pay By Touch deal. Visa has already extended its deadline for the cut-off, originally set for the end of this month, to Jan. 31. AmEx, whose deadline is also Oct. 31, has not changed the date but says it is reviewing the situation. To attack the kind of intrusion that hit CardSystems, Ingrian offers a product that encrypts data at what it calls a “granular” level, meaning information residing in zones as small as columns or even fields are masked, allowing the processor to control access to particular pieces of information. It also protects against “logical” thefts, or hacking, by encrypting information at the application layer in the data center, before it is written to disks, tapes, or other physical media. In this way, the data are protected before they are stored in the database, a popular target for electronic thieves. Ingrian software residing in the application server sends the data to an appliance residing in an Ingrian data center for encryption. The appliance then returns the encrypted data to the client. By the time they are passed to the database server, any malware installed there by hackers to listen for account data would pick up only cyphertext?essentially gibberish. All encryption keys reside only on the remote appliance. Ingrian claims conventional encryption, occurring only after data pass into storage in the database, would have prevented only four of 45 data compromises that have been publicly disclosed since February. Its own model, it says, would have stopped 34 of them. At the same time, by removing key management from the processor's data center, Toubba says, the hardware approach cuts down on latency, or the slowdown in processing speed often caused by the encryption of large quantities of data. Processors often cite latency as a deterrent to encryption. Each encryption request to the remote appliance, Toubba says, takes 200 microseconds, or less than a quarter of a millisecond. Latency can be minimized, as well, by encrypting only sensitive data, such as Social Security numbers, rather than all data. “The less data you encrypt, the better from a performance perspective,” says Toubba. Ingrian's system, Toubba says, typically costs from $130,000 to $150,000, which includes all software, hardware, and maintenance. Now the company is working on a product, scheduled for release by mid-2006, targeted at mid-tier merchants and banks that operate outlets inside stores.