Sheffield-based i security specialist Safestone Technologies has struck a deal with U.S. encryption firm nuBridges to augment its PCI Security Standard-compliance tools. nuBridges' Protect encryption solution will be sold as an optional addition to Safestone's DetectIT security offering.

Safestone COO Terry Heath says: "If companies are carrying credit card information, that information has to be encrypted. nuBridges has developed a new product with tokenisation whereby you can store what looks like a credit card number and it still has the same format which is four sets of four numbers but it’s actually a key that points to the real credit card number. So if somebody steals what looks like the credit card number, it is absolutely worthless to them."

The majority of Safestone's customers are in the financial sector which, for obvious reasons, is on the front line of the Payment Industry Council's efforts to tighten up credit card security. Banks, in particular, are "very, very" interested in tokenisation, according to Heath.

"Some encryption products will take a sixteen digit string of numbers and will encrypt it, say, alpha numerically so you’ve got numbers and letters in there but the field that the application’s using only allows numbers because it’s a credit card number," he says. "Or it might be that it’s encrypted and it changes the size of the file. So it’s really important to have something that is firstly, numeric and secondly, is in the format of the credit card number, otherwise it messes up applications and that’s where nuBridges are very good."

Power i-driven firms, with their "unhackable" systems, have been accused in the past of complacency when it comes to some aspects of security. However, PCI-compliance has created a real sense of urgency. Heath says: "There are an awful lot of i users that do carry credit card information because it is very strong in retail and financing and there are a lot of companies right now going through PCI compliance."

Laptops get left in taxis. Backup tapes go missing. We seem to see headlines about readable text data including credit card information cropping up in all the wrong places on a seemingly daily basis. Because of this, Heath says organisations have moved beyond the stage of merely locking out intruders and encryption addresses the next stage in the security process, namely data leakage.

Firms with an eye on the future see other compliance issues looming on the horizon, he says. U.S. Sarbanes-Oxley directives, for example, are now being superseded by similar strictures from Japan, dubbed "J-SOX".

"People comply with regulations that aren’t actually applicable to them," says Heath. "They just do it because they assume that it may come to them anyway. There’s something called the California Privacy Act which says if you lose a tape or data then you have to inform everybody that was on that tape that the tape has been lost, but you don’t have to do this if it’s encrypted. And since that came out, there have been a number of other states in America that have been taking the whole thing up. The strictest one is the Massachusetts Privacy Act and because of that even people over here are gearing up, looking at that and saying: 'OK, that’s quite a sensible thing, let’s ensure that we do the same thing as well'."