Sensitive Data Sets

Introduction to Data Types


Data Security for Compliance

Many organizations seek tokenization services to help them reduce the cost of Payment Card Industry Data Security Standard (PCI DSS) compliance, which is often done by removing payment card data from internal IT systems. Additional regulatory compliance obligations, such as the General Data Protection Regulation (GDPR) or California Consumer Privacy Act (CCPA), can be satisfied by removing personal data, personally identifiable information (PII), protected health information (PHI), and other sensitive data types from systems via tokenization. To accomplish this, TokenEx customers can choose tokens that retain the same length and format of the original data (format- and length-preserving tokens), maintaining business utility with minimal changes to business-as-usual processes. TokenEx has multiple methods for capturing and processing any type of sensitive data so that it never enters your network, databases, or browsers, ensuring maximum scope reduction.

Data Security for Risk Reduction

Protecting your sensitive data should be about more than achieving minimum compliance obligations. Although compliance is important, it doesn't always equal security. Instead, the ultimate goal of your organization should be to improve its overall security by desensitizing data to reduce the risk associated with a data breach. Unlike encryption, which can be reversed if the key becomes compromised, tokenization can prevent the theft of exposed data. Because tokenization exchanges the original sensitive data for a nonsensitive, irreversible token and then stores the original data in a secure, cloud-based vault outside of an organization’s network or IT environment, a data breach of a tokenized environment will not result in the exposure of any sensitive data. This process is called data deidentification, or pseudonymization, and it virtually eliminates the risk of data theft, in addition to satisfying many compliance obligations.

Common Sensitive Data Types

  • Payment Card Information (PCI) – PCI, or cardholder data (CHD), refers to sensitive payment information regulated by the Payment Card Industry Security Standards Council (PCI SSC). The PCI SSC enacted the Payment Card Industry Data Security Standard (PCI DSS) to document how organizations are required to protect CHD, including primary account numbers (PANs), card verification values (CVVs), and other PCI-related data.
  • Personally Identifiable Information (PII) – PII is information that can independently identify—or be combined with additional information to determine, trace, or distinguish the identity of—a specific individual. This type of information includes names, Social Security numbers, biometric records, dates and places of birth, mothers' maiden names, etc.
  • Protected Health Information (PHI) – PHI is a term broadly used to describe various types of information related to health care. According to the Health Insurance Privacy and Portability Act (HIPAA), it is data "created, received, stored, or transmitted by HIPAA-covered entities and their business associates in relation to the provision of health care, health care operations, and payment for health care services."
  • Nonpublic Personal Information (NPI) – NPI is the term for publicly unavailable PII that's collected by a financial institution in the process of serving a customer. It also includes any lists, descriptions, or other groupings of consumers that either contain NPI or were created using it.

Benefits of Tokenization

Tokenization is a powerful, risk-reducing technology that can secure and desensitize any data type in accordance with many international regulatory compliance obligations. With tokenization, you can:

  • Reduce Compliance Scope

  • Reduce Risk of Data Breaches

  • Reduce IT Overhead and Bandwidth

  • Reduce Risk of Data Theft