Written by Ena Kadribasic (October 30, 2019)
In the context of data security, modern digital businesses realize the
dangers that come with using sensitive information in its raw form. Figuring
out a way to collect and use the original data without putting it at risk
remains a challenge, and organizations must channel a lot of their resources
into IT security that protects their users’ sensitive data.
With so many highly-publicized
data breaches hitting newspaper headlines in recent years, including a massive Capital One data breach in 2019,
it has become more important than ever to protect sensitive consumer data and
limit its exposure to data leaks.
Table of Contents
Thankfully, a number of innovative technologies have made it easier
to reduce data security risk - as well as meet the requirements of Payment Card
Industry Data Security Standard ( DSS) compliance.
From encryption and tokenization to next-generation methods like aliasing, businesses in the digital age
have a number of options when it comes to protecting and safely using sensitive
user information.
Encryption and tokenization are two of
the most popular of these methods.
While they both serve valuable
functions in countless modern organizations, they both have their own unique
drawbacks - and many businesses may not even realize what new and innovative
options are currently available to them.
Sensitive Information and the Growing Threat of Data Breaches
The hard-to-face
reality is that billions of personal records are exposed each year.
Just in the first half of
2019, for example, there have been over 3,800 publicly disclosed data leakage
events in which an astonishing 4.1 billion records were compromised, according
to the 2019 MidYear QuickView Data Breach Report.
As we continue to discover the trends of data breaches, it becomes
clear that large-scale data leaks make up the lion’s share of overall
cybersecurity breaches. The same report cites that 3.2 billion of the 4.1
billion leaked records were exposed from just eight data leakage events.
Massive data leaks are fast becoming a frequent occurrence – with
headlines regularly popping up highlighting cybersecurity disasters at popular
corporations that have impacted millions of people.
In the summer of 2019, news of a cybersecurity disaster rattled North
American consumers. The highly-publicized Capital One data breach of 2019 led
to the sensitive data exposure of 100
million Americans and 6 million Canadians – including hundreds of thousands
of Social Security numbers and bank account numbers.
Similarly, in July of 2019, we learned about a whopping $700 million
settlement that resulted from the Equifax data breach. Now, years after the
incident, the 147 million customers
impacted by that disaster all get a piece of that pie.
It only seems like a matter of time until the next multi-million-dollar
data breach settlement will be announced, and another consumer data-handling
organization will have their feet publicly held to the fire.
Thankfully, a number of
innovative data security approaches have made it easier to safely collect and
store sensitive data - greatly reducing the risk of data breaches.
Figuring Out How to Protect Sensitive Data
Even if an
organization does not vault credit card payments or other forms of sensitive data,
any modern business must invest sufficiently in their cybersecurity
protections.
But for companies that
collect, store or transfer sensitive information such as cardholder data like
Primary Account Numbers (PANs) or other types of Personally Identifiable
Information (PII), from account passwords to Social Security numbers - the
importance of airtight data security systems is substantially higher.
Apart from making customers feel safe using their products, businesses
also have to meet various regulatory requirements to prove that they’re
compliant with one or more legal frameworks like SOC 2, HIPAA and PCI.
Given the disastrous effects that a cybersecurity mishap can have on a
company of any size, combined with the various compliance frameworks they must abide
by, modern businesses are investing substantially in data security programs.
From building their own IT security teams to hiring a third-party
cybersecurity vendor, companies need to make sure they’re safeguarding their
users’ sensitive data.
And, these days, when we talk about how businesses protect sensitive
data, we’re usually mentioning either tokenization or encryption. Nearly every
digital organization already relies on tokenization and/or encryption, to some
degree, as part of their IT security policies.
But which is best, and how are
they different?
Tokenization vs. Encryption: What’s the Difference?
Encryption vs.
tokenization - what is the difference, and which is superior.
The truth of the matter is that both of these data protection
techniques offer unique strengths for particular use cases, and both are
incredibly valuable for various types of businesses.
Encryption locks sensitive data behind a complex mathematical algorithm, and this
encrypted form is only “unlockable” using a specific encryption key. Once the
encryption is “solved” at the end point, the sensitive data is revealed in its
true format.
Tokenization, on the other hand, is a way to limit storing plain text sensitive
data by using “tokens” to replace the original data. Unlike with encryption, these tokens are not
reversible and cannot be solved. These nonsensitive tokens must be revealed
using the correct tokenization solution - making tokenization more appropriate
than encryption for structured data, like credit card numbers.
However, with both tokenization
and encryption, the original sensitive data still resides on a business’
servers to varying degrees. With tokenization, for example, there are two
points where the raw sensitive data is at risk: the data vault and the original point of capture.
This means that there are
still system components where the original sensitive data is flowing - making
these systems still within the scope of PCI DSS requirements.
But what if businesses could still use sensitive data exactly as they
are now, but not possess it at any point?
By removing the sensitive data from a company’s systems entirely, those
networks would be out of PCI DSS compliance scope.
This is where data aliases come into the picture.
Descoping Entirely with Data Aliasing by VGS
While helpful with
data security, both encryption and tokenization maintain original sensitive
data in a business’ possession. With aliasing, it’s possible to collect, store and transfer this same data
just as if it was in its raw state, but without ever possessing it in the first
place.
By working with a third-party
data security partner that provides data aliasing, you can benefit from
sensitive data while keeping your systems completely clean - removing those
systems from PCI DSS compliance scope entirely.
As a trusted data custodian, VGS handles 100% of data capture and
vaulting for businesses that leverage their data security solutions. By using VGS’ Zero Data approach, companies remove their systems
from PCI DSS compliance scope entirely – removing any
compliance risk and completely mitigating the risks of data leaks.
VGS takes care of all collection, storage and transfer of sensitive
data on your business’ behalf using its innovative Zero Data aliasing method, so your systems are descoped from
compliance requirements entirely.
Moreover, when businesses implement VGS solutions to handle their
sensitive data, they instantly inherit VGS’ best-in-class security posture,
which enables them to fast-track their
certifications like PCI, SOC2 and others.
With data security as one less
thing to worry about, organizations are empowered to focus their time and
resources on what truly matters: continuing to grow their core businesses.
This
article was
originally published in Very Good Security.
هیچ نظری موجود نیست:
ارسال یک نظر