In the payment security landscape, effective management of cryptographic keys is the key to secure card-based payments. Many organizations have deployed a variety of encryption and digital key solutions as a primary method to protect their data and meet various compliance requirements. However, the constantly evolving Payment Card Industry (PCI) standards present significant challenges to payments focused enterprises as they need to continuously update themselves with these new regulations. Add to that, a majority of organizations lack dedicated key management teams, solutions, or techniques, resulting in a high level of risk. With the enormous amount of meta-data constantly growing and taking over payment security landscape, it’s essential for organizations to have robust strategies in place to ensure complete data governance and compliance.
Driven by the mission to support the constantly evolving cryptographic management compliance mandate, GEOBRIDGE is well-positioned to guide enterprises to overcome those challenges through their groundbreaking cryptographic key management solutions.
GEOBRIDGE offers its flagship platform, KeyBRIDGE that performs full lifecycle cryptographic key management. Based on the concept that every individual key has a unique purpose, with unique meta-data, that should be governed with business appropriate guidelines, the KeyBRIDGE platform enhances, tracks, audits, and verifies different data types for end-to-end key lifecycle management. The solution also allows for remote management of its clients’ existing hardware security module (HSM) structure through its offering.
We support organizations with implementing key management solutions that are critical to protect and access data effectively
What sets GEOBRIDGE apart from other payment security solution providers is their vision to protect any type of key used in any vertical market. From the beginning of developing KeyBRIDGE, GEOBRIDGE has leveraged the X9 TR-31 standards that promotes key interoperability/key bundling and identifies any key type for any algorithm.
For instance, a credit card transaction involves many moving parts—pitching the card’s benefits and issuing it to the user, facilitating card delivery to the location, and getting the card transaction authorized across thousands of payment service providers. An organization can quickly lose count of how many interrelated, interdependent systems are out there to complete a card transaction in a matter of seconds. On top of that, when new cryptographic algorithms hit the market, global update instantly becomes a tough row to hoe. Set against such backdrop, GEOBRIDGE has created a central inventory of key types and named them for all possible and different use cases, enabling enterprises to pick out the keys for their specific business purpose. “We help enterprise clients address and find various project management techniques to go about finding all the different use cases of the keys that were affected,” exclaims Jason Way, CTO of GEOBRIDGE.
“Our solution is truly interoperable for any system and any industry to address life-cycle key management and common naming convention is just the first step.”
Upon placing the keys in inventory and completing their nomenclature, GEOBRIDGE comes to know about keys’ entire lifecycle and expiration date. Based on such critical information, GEOBRIDGE’s team then sets the rotation period and new expiration date. The firm can retrieve hundreds or even thousands of keys at once out of the inventory and work to rotate them in actual production implementation with the new keys, new key types, and new key bundles. “We do all this in a simple product management methodology by isolating the production inventory, which only affects the full key rotation strategy and not the production implementations,” says Way. Additionally, GEOBRIDGE offers the ability to verify, trace, and log the history of what is being done when and by whom throughout the key lifecycle management.
GEOBRIDGE, in its continual effort to remain ahead of compliance requirements while supporting practical business use cases has designed a system that may rely on either PCI HSM certifications or FIPS 140-2 Level 3 requirements. For long the payment industry has relied upon FIPS 140-2 level 3 standard, as Way has described, “the payment industry is now at a crossroads with the Federal Cryptography Standards.” PCI HSM is not merely a checkbox but an updated methodology with documented procedures and policies permitting the utilization of key types and key management techniques that are not addressed by these Federal Standards. “We are working with and helping our clients to adjust, enabling them to achieve and maintain compliance even in the midst of these evolving standards,” concludes Way.
