With 5,500 tills across 170 stores and a growing online business, department store retailer Debenhams handles a huge quantity of credit card data. So when the Payment Card Industry Data Security Standard (PCI DSS) came into force in 2009, the potential impact on its IT infrastructure could have been devastating.
Founded in 1778, the company has collected a diverse collection of IT systems over the years. Its tills and and in-store kiosks run on Microsoft Windows; its customer data warehouse is built on IBM’s System i platform (formerly AS/400); and its business applications rely of technologies including Linux, SQL Server and Oracle’s database software.
PCI DSS requires organisations to encrypt cardholder data when in transit and in storage. Debenhams was therefore confronted with the prospect of upgrading every system that stored or transmitted credit card numbers in order to handle the metadata created by traditional encryption technologies.
"Some vendors require you to add metadata to the 16 digit credit card number so that it can be decrypted, which increases the size of the number," explains Aqil Nasser, technical architecture controller at Debenhams. "If we had used that kind of encryption, every line and row in every database from the source to the target system would have had to have been increased. We would have had to have changed every single programme that touched credit card data."
Instead, Debenhams used a tokenisation system from a company called nuBridges, which has since been acquired by Liaison Technologies. Tokenisation means disguising some of the characters in a string of data, such as a credit card, but not all of them. Critically, tokenisation does this without changing the format of the data.
"Our systems use the first four digits of a credit card number to identify the bank, and the last four digits as the unique identifier for the customer," explains Nasser. "So we could tokenise the eight digits in between and run all our existing programmes and data schemas that without making any changes."
Had it not been for tokenisation, not only would Debenhams have had to change every single system it uses, those systems would have have required more CPU and storage resources to handle the metadata.
"We calculated that the cost of those changes and upgrades would have been ten times the cost of the Liaison system," Nasser says. As it is, "we have incurred no additional cost for the infrastructure or headcount to support the infrastructure, and we didn’t have to make any programme modifications".
Tokenisation was an obvious choice for Debenhams’ encryption requirements. As for selecting the supplier, nuBridges (as it was then known) offered connectors for all Debenhams’ back-end systems.
Just as important, though, was the fact that it was a small supplier that was heavily invested in making the project work, Nasser explains.
"We gpt a lot of focus from the account team because they wanted Debenhams as a reference customer," he says. "They made sure they put their ‘A team’ on the project which really paid off."
This is a valuable lesson for any IT project, he adds. "Using people who are keen to work with you, rather than waiting for the next purchase order to come along, will serve you well.