If you are currently tokenizing only payment card data sets, you are putting your organization in harm’s way to a degree you may not even realize. The long-term impact of not securing ALL data sets will prove very different- and much more expensive- for your organization than exposing traditional PCI (Payment Card Information) data. Data breaches are no longer focused only on PCI as in the past, but on a much, much more sophisticated data set- PII (Personally Identifiable Information). Just 5 years ago the mere mention of a class action lawsuit had no merit in regards to a data breach. Well, those days are gone. The FTC (Federal Trade Commission) is now the federal watchdog for data breaches, which means responses and law suits have a leg to stand on. So how does that impact your organization? How much money are we talking about? What is the realistic cost of a data breach if you have exposed PII? What is the standard for defining PII? Isn't it complicated to tokenize this data set? Can PII tokens even work in your business systems? What if you are using a payment processor solution; can they tokenize your PII? Let's dig into the nuts and bolts of this, because essentially you are failing your organization if you are not leveraging tokenization across data sets.
Data Breach = Expensive
The Ponemon Institute values the cost of each individual record exposed at around $178— and considering the average breach exposes close to 30,000 records, you can do the math. The average data breach costs organizations around $4,000,000, and this figure is still just based off the historical data from exposed payment card data, which as we noted before is less costly. You can expect that figure to be much higher moving forward. Moreover, the Ponemon price tag does not cover “catastrophic” breaches like the Sony breach they are still reeling from and paying for. It also does not cover breaches that expose over 100,000 records. All of this directly impacts your brand, reputation, and bottom line.
PII as defined by NIST
The way PII is defined should concern you, in that it covers a broad array of information you probably collect and store somewhere in your systems.
Information that can be used to distinguish or trace an individual’s identity:
- Name or Alias • Social Security Number • Date & Place of Birth • Passport Number
Information that is linked or linkable to an individual:
- Medical Information • Educational Information
Personal characteristics that can be used for verification:
- Photographic Image • Fingerprints • Handwriting • Retina Scan • Voice Signature • Facial Geometry • Behavioral Biometrics • Other Biometric Data
It will be interesting to see what law suits emerge in the coming months as a result of the recently announced Yahoo! Breach, which exposed "names, e-mail addresses, telephone numbers, dates of birth, hashed passwords and, in some cases, encrypted or unencrypted security questions and answers" according to Reuters. As long as the data is there for the taking, hackers will find a way to take it.
Tokenizing ALL Data Sets
It’s critical that all types of sensitive data can be stored in the same secure platform, following consistent tokenization schemas that are appropriate for the data types. To explain, tokens can be format-preserving so that the same length and sequence (alphanumeric) of the original data is used in its replacement token, as well. That means no changes to technology, applications, or business processes are required. If you have to completely redesign your business logic in order to implement tokenization, you may want to reevaluate the solution you are using, but there is a high probability that your tokenization efforts are going to fail before they even begin.
Custom Token Schemes for Your Organization
Using customized token schemes enables the tokenization of any data format and type, not just payment and social security numbers, but literally any digital data—even scans of payment forms, non-public product information, any data. Then it should be vaulted securely, only to be accessed by your systems with the proper security keys. Custom token formats can also be designed to meet your special business needs.
Gateways Only Tokenize Payment Card Data
Why not use existing Gateway Tokenization? Out of the box, transactional tokenization has severe limits in the data sets that it is able to tokenize. The vast majority of these solutions are only able to tokenize payment data, so what are you to do when you need to tokenize PII? PHI? Or data sets that are covered by diverse international rules and regulations? Some organizations will use multiple tokenization solutions from multiple providers to address this issue, and it is considerably more expensive than using a single platform that can tokenize everything. Obviously, it is uneconomical and much more work to maintain two or more tokenization systems- one for financial payment data and others for personal and health data.
On-Premise Storage of PII Puts You In Harm’s Way
It is ugly, plain and simple. If it is in your environment (e.g. on-premise solutions), they will take it, and you will be sued. Wyndham set the precedent for customers to be able file class action lawsuits against organizations who expose their PII. The FTC now has oversite and they are levying some pretty nasty fines in the millions for organizations who are found negligent in their data security programs. My message for not storing sensitive data will continue to repeat the same mantra, “Why put your organization in harm’s way when it is not necessary?” Remove all of the sensitive data sets, but keep all of the flexibility in how you store, access, and secure your data with a cloud based solution. Move all of the risk and the liability to a cloud based solution, so that if your organization is ever breached, you will expose no customer data.
Secure Cloud Data Vaulting
The way cloud data vaulting should work for you is to store clients’ sensitive data and, using secure encrypted channels, swapping the sensitive data with mathematically-unrelated tokens. These tokens should be ready to go and used for processing in business systems instead of the actual sensitive data. Best of all, since the data is secured off-premise, out of your organization’s environment, a data breach will not result in the exposure of your sensitive data- only useless tokens. This eliminates the risk of data theft and has the added benefit of greatly reducing the cost of regulatory compliance, such as PCI DSS.
The Results of the Solutions
So, in comparing on-premise tokenization, payment gateway tokenization, and cloud tokenization, we see that any solutions unable to simply and securely remove toxic data from your systems, without interrupting your business processes are not the way to go in securing PII. Why would you risk the potentially ruinous practice of storing sensitive data on-premise, knowing there is really no way to cap that risk? The true, grander figures won't even reveal themselves until the dust has settled on the consequences of exposing customer data.
Payment gateway tokenization, on the other hand, will cost you significantly more money than on-premise or cloud based, and you still are limited in the data sets you can tokenize- with no freedom to select the payment processor, 3rd party analytics, fraud prevention solution, and other providers that best suit your organization. Also, worth mention is the fact that not only are you still left with your other data sets and limited in flexibility, but if you ever decide to leave for the greener pastures of cloud tokenization, you can guarantee that any of your existing data will not be going with you.
Cloud tokenization has to be secure, flexible and vendor agnostic, so you can select the vendors that will empower your organization. It needs to be cost effective- where you are not being charged for every single transaction, and you have to be able to take your data with you regardless of what tokenization solution you use. Cloud tokenization must be scalable with your growth, as it no longer makes sense to manage tokenization solutions inside your environment. The redundancies mandated by cloud based tokenization speed up the ability to access data, deduce trends, and most importantly, secure ALL of your data sets. Achieve PCI compliance, significantly reduce risk, and focus on what it is you do best. With cloud tokenization you can have your cake- and you get it to eat, too.