SEPA, PSD2, GDPR, Oh My! How Do They Interconnect, and How does TokenEx Facilitate? Part 3 of 3

SEPA, PSD2, GDPR, Oh My! How Do They Interconnect, and How does TokenEx Facilitate? Part 3 of 3

In part 1 of this blog series we covered the basics of the new European directives and how they interconnect. In part 2, we covered how the landscape of European payments is changing, the monetization of payment card data, and issues surrounding the collection and use of personal information (PII). We also looked at how PSD2 makes sensitive data sets available to third parties, while GDPR makes that data private, creating an interesting conundrum for organizations caught in the middle. In regard to PCI DSS, ISO, and GDPR, each of these initiatives is designed to reduce or eliminate risk and the associated liabilities in the event of a data breach. In order to achieve this ultimate goal, and become compliant with all initiatives concurrently, organizations need a unifying data security platform that can guarantee that all sensitive data sets are secure both in transit and at rest.

In part 3 of this blog, we’ll explore the data security solution types that are recognized by GDPR, PCI, ISO, and PSD2. Also for consideration, since PSD2 allows third parties to access both personal and payment card data for financial transactions, as well as bank account access, how do you know if your third-party providers are using adequately secure methods to ultimately protect you? In GDPR, what is the difference between anonymization and pseudonymization? What security platforms can properly pseudonymize the sensitive data sets? Finally, how can TokenEx help facilitate compliance with GDPR so that you can get on with your business?

Accountability for Third-Party Partners

According to the research 3rd Party Risks: The Cyberdimension, published by

Deutsche Bank and Economist Intelligence Unit:

  • Almost one out of five organizations (19 percent) don’t check whether their third-party suppliers use the same methods for identity authentication as they do
  • Almost all organizations in the survey performed internal penetration testing (92 percent)
  • Only 38 percent of organizations require all of their third-party partners to perform penetration testing
  • One-third of organizations (33 percent) do not conduct external testing

Simply put, global organizations are not performing due diligence to guarantee that their third-party vendors are safely and securely handling sensitive payment card data and PII. Even if they are GDPR-compliant themselves, organizations will be held accountable if their third-party vendors with whom they share sensitive data are in non-compliance with GDPR. It is therefore imperative for organizations to inquire and understand whether or not their third-party partners are handling sensitive data using appropriate technical and organizational controls.

Security Does Not Stop at Authentication

In regard to PSD2, the goal is to establish “strict security requirements for electronic payments and the protection of consumers' financial data, guaranteeing safe authentication, and reducing the risk of fraud; the transparency of conditions and information requirements for payment services; the rights and obligations of users and providers of payment services”. This means that proper authentication and secure communication techniques must be in place within your organization and at any third-party partner with which you are sharing data. In addition, if you are handling ANY personal data, de-identification must be performed in order to maintain GDPR compliance.

De-Identification – Anonymization vs. Pseudonymization

According to GDPR Recital 26, anonymized data is defined as “personal data rendered in such a manner that the data subject is not, or no longer is, identifiable.” While complete anonymization of data is very difficult to achieve, if all identifiable information is removed, and it is impossible to re-identify the data subjects, the storage and processing of the data is no longer subject to the GDPR. However, there are business requirements that prevent an organization from anonymizing all the personal data it controls in order for it to be useful. In these instances, organizations are encouraged to pseudonymize personal data.

Article 4(5) of the GDPR defines pseudonymization as the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information.” This is typically achieved by replacing key identifiers in the data with pseudonyms or tokens. Pseudonymized data is still subject to the obligations described by the GDPR, but by holding the “additional information” separate from the de-identified data, organizations are granted certain compliance benefits under the regulation.

The Road to Pseudonymization

There are generally two forms of pseudonymization: tokenization and encryption. For encryption, the Parliamentary text requires that the “encryption key” necessary to identify data subjects be kept separate from the coded data, and is subject to technical and organizational security measures to prevent inadvertent re-identification of the coded data. Tokenization, in contrast, requires no “key” and thus is an easier and more efficient method of pseudonymization.

Article 32 of the GDPR calls upon data controllers to implement a “level of security appropriate to the risk.” Tokenized data can potentially pose a much lower risk than a fully-identified data set, thus reducing the level of difficulty in meeting this mandate. An organization can still effectively use tokenized/pseudonymized data sets in business processes, something that is not always possible when using encryption alone.

It’s important to understand that not all tokenization and encryption platforms are the same, so the type of pseudonymization platform you employ will also play into how GDPR determines if your organization is in or out of compliance. For example, if you are storing pseudonymized data along with personal identifiers within the same on-premise solution, you could very well find yourself out of GDPR compliance. The same would be true of a third-party that shares the data. At this point, GDPR has not clarified pseudonymization standards, so you cannot know exactly which type of platform to use. Maintaining PCI DSS and ISO compliance, as well as requiring your third-party vendors to do the same, is a good place to start as the regulation becomes fully defined.

The GDPR imposes the requirement of “data protection by design and by default” and specifically mentions pseudonymization in Article 25 as an appropriate control for demonstrating this intent–“implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.” This means that simply pseudonymizing personal data does not guarantee compliance with the GDPR. Much like with solutions for achieving PCI DSS and ISO compliance, implementation matters.

TokenEx is Prepared for GDPR

Tokenization and encryption are an advanced form of pseudonymization, as referenced in the GDPR. TokenEx’s tokenization and encryption solutions are well-recognized and accepted forms of pseudonymization, which makes GDPR compliance more certain, less costly, and much easier to accomplish. These are the same processes TokenEx uses to protect the private data of our clients worldwide, without a single breach or exposure, for over a decade. The TokenEx Cloud Data Security Platform can be used to satisfy many of the compliance requirements of the GDPR. As GDPR goes into effect and is interpreted across various jurisdictions, it is certain to change and be amended over time, so utilizing a flexible and constantly evolving cloud tokenization platform like TokenEx will assist in compliance in the coming years.

TokenEx is the industry leader for enterprise cloud tokenization that removes sensitive data of any type from internal business systems. Just remember—no data, no theft. To learn how we can help you comply with GDPR with tokenization and pseudonymization of sensitive data, please email for a personal appointment. Follow us on Twitter and LinkedIn.gdpr-tokenex

Topic(s): compliance , encryption , PII , tokenization , GDPR , privacy

Keep Up With Our PCI & Privacy Blog