Friday, May 19, 2023
What is involved in devaluing data from both an implementation and employee training perspective?
Simply put, when we say "devalue the data" we are saying to render the data useless so if a system is breached, the data obtained has no value. Many security technologies are focused on keeping the bad guy out. By analogy, building bigger and thicker walls around the castle. Here, we are focused on taking away the value of the data in the event of a breach – so there is nothing of value inside the castle.
Data devaluation is almost entirely systematic and typically done via encryption or tokenization. Both can be used during transmission and storage to protect data. For example, at Bluefin we offer a PCI-certified point-to-point encryption (P2PE) solution to protect cardholder data during transmission from the moment a card is used at a payment terminal until it is decrypted at Bluefin. We use AES-256 HSM encryption to store cardholder data in our databases.
What are additional considerations when implementing a security strategy?
What common mistakes do companies make when implementing advanced tokenization and P2PE technologies?
One common mistake which happens often is confusing PCI's validated P2PE program with a less secure end-to-end encryption (E2EE) program and thinking they are just as good or equivalent. They are not.
P2PE should be thought of as an operational security framework where payment terminals are used to initiate the payment. While encrypting cardholder data as it moves from point A to point B is part of the standard, in total, the program has hundreds of controls to be met before approval whereas E2EE has no specific requirements.
P2PE and E2EE have notable differences. The payment application for P2PE requires a third party security audit by a P2PE QSA while E2EE requires no audit. Also, a P2PE decryption environment must validate the authenticity of each device prior to decryption, while E2EE requires no validation.
Furthermore, a P2PE decryption environment must validate that every transaction is encrypted upon arrival and reject unencrypted transactions. E2EE has no requirement, and most environments would process the transaction. Additionally, the P2PE solution provider must know and approve the payment application and firmware of every solution. They must know every detail of what is running on every device while E2EE has no such requirement.
Another common mistake when implementing P2PE is not understanding the basics of tokenization and what type of tokenization solution is best for your business. You should look for a solution provider that offers flexibility of token type and ease of use.
When tokens are format-preserving, the token returned will be in the same format as the original data provided. This works well against database schemas. With vaultless systems, the tokens are returned to the client for storage. This addresses data sovereignty concerns.
The client can also build an ecosystem of partners to allow for secure token sharing – allowing business partners the ability to detokenize data tokenized by the client. This solves an otherwise complex data-sharing security challenge. The client can also decide if they prefer format-preserving tokenization or format-preserving encryption in the creation of their tokens.
Overall, businesses should find a tokenization solution that can scale with their business and offer the proper balance between ease of use and meeting business needs.
What trends are emerging in cyberattacks, and how can companies protect their environments, employees, partners and customers against them?
Clearly, the last few years have seen a significant uptick in ransomware attacks, which is now a multi-billion-dollar-a-year industry and likely not going anywhere for the foreseeable future. Sensitive data should always be encrypted or tokenized at rest to prevent data exposure from these types of attacks, and organizations must implement an effective backup strategy, preferably offline, to mitigate the effectiveness of this type of attack.
Another emerging trend is cloud security, which according to Gartner is the cyber market segment forecast to have the highest growth over the next two years. With businesses moving more and more of their services to the cloud, adversaries will likely be focusing their time and resources on this area. Implementing a zero trust framework for cloud environments, where users are authenticated, authorized, and continuously validated for security is an effective security strategy for cloud access.
Supply chain attacks have also dominated the headlines over the last couple of years. From the Solar Winds hack to other high-profile attacks like Okta, we're beginning to see an increase in sophisticated attacks on software and systems relied on by hundreds or even thousands of companies. As companies rely more and more on third-party software/systems, this is a concerning emerging threat.
Organizations must perform due diligence on all third-party software providers, subscribe to mailing lists and stay up to date with vendor security notifications. They must also have an effective business continuity and incident response/recovery plan in the event something does go wrong.
Training is another key component. It's important to remember that phishing is one of the top causes of data breaches. According to Verizon's breach report, 82 percent of all data breaches involve human interaction. Employees should be reminded frequently of things to look out for and appropriate measures to take when anything out of the ordinary occurs.
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.