Green Sheet interviews Bluefin's Brent Johnson

Encryption and tokenization provider Bluefin uses advanced cryptographic solutions to protect payments and sensitive data. The company's technology stack includes solutions for contactless face-to-face, call center, mobile, ecommerce and unattended payments and data in the healthcare, higher education, government and non-profit industries. The Green Sheet discussed the role of PCI-certified point-to-point encryption (P2PE) with Brent Johnson, CISO at Bluefin. Following are interview highlights.

What is involved in devaluing data from both an implementation and employee training perspective?

Simply put, when we say "devalue the data" we are saying to render the data useless so if a system is breached, the data obtained has no value. Many security technologies are focused on keeping the bad guy out. By analogy, building bigger and thicker walls around the castle. Here, we are focused on taking away the value of the data in the event of a breach – so there is nothing of value inside the castle.

Data devaluation is almost entirely systematic and typically done via encryption or tokenization. Both can be used during transmission and storage to protect data. For example, at Bluefin we offer a PCI-certified point-to-point encryption (P2PE) solution to protect cardholder data during transmission from the moment a card is used at a payment terminal until it is decrypted at Bluefin. We use AES-256 HSM encryption to store cardholder data in our databases.

What are additional considerations when implementing a security strategy?

• Consider P2PE as a Service: Bluefin provides data tokenization and detokenization as a service over APIs and iFrames to protect PII, PHI, and cardholder data in flight and at rest.

• Minimize data usage, flows: Companies should review their approach to data protection in general. First, don't retain what you don't need. Have a data retention policy that meets the needs of the business and when this period passes, securely purge the old data. Secondly, understand the data flows in your business and protect the data as soon as possible and throughout all flows and storage. Minimize, and hopefully eliminate, points of access to unprotected data.

• Think encryption and tokenization: Encryption and tokenization are not mutually exclusive and should both be considered to deliver enterprise protection. For example, in payments, a merchant might use a P2PE solution to initially acquire and protect the cardholder data at the point of sale. After the authorization, the P2PE solution provider should tokenize the card number and return it to the merchant allowing that merchant to store and use the tokenized card number in the future for card-on-file needs. In this example, a merchant can process the initial and subsequent transactions without ever having access to the actual card number.

• Employee training: Employee training would be needed if the tokenized data would be made available for viewing so they know it is not the original data. For example, a card number may have been 4111111111111111 previously, but is now 4111118263821111 after tokenization. Both look like real card numbers, but the second is a format-preserving token that is still useful for support purposes in its tokenized form as the first six and last four digits are preserved.

What common mistakes do companies make when implementing advanced tokenization and P2PE technologies?

One common mistake which happens often is confusing PCI's validated P2PE program with a less secure end-to-end encryption (E2EE) program and thinking they are just as good or equivalent. They are not.

P2PE should be thought of as an operational security framework where payment terminals are used to initiate the payment. While encrypting cardholder data as it moves from point A to point B is part of the standard, in total, the program has hundreds of controls to be met before approval whereas E2EE has no specific requirements.

P2PE and E2EE have notable differences. The payment application for P2PE requires a third party security audit by a P2PE QSA while E2EE requires no audit. Also, a P2PE decryption environment must validate the authenticity of each device prior to decryption, while E2EE requires no validation.

Furthermore, a P2PE decryption environment must validate that every transaction is encrypted upon arrival and reject unencrypted transactions. E2EE has no requirement, and most environments would process the transaction. Additionally, the P2PE solution provider must know and approve the payment application and firmware of every solution. They must know every detail of what is running on every device while E2EE has no such requirement.

Another common mistake when implementing P2PE is not understanding the basics of tokenization and what type of tokenization solution is best for your business. You should look for a solution provider that offers flexibility of token type and ease of use.

When tokens are format-preserving, the token returned will be in the same format as the original data provided. This works well against database schemas. With vaultless systems, the tokens are returned to the client for storage. This addresses data sovereignty concerns.

The client can also build an ecosystem of partners to allow for secure token sharing – allowing business partners the ability to detokenize data tokenized by the client. This solves an otherwise complex data-sharing security challenge. The client can also decide if they prefer format-preserving tokenization or format-preserving encryption in the creation of their tokens.

Overall, businesses should find a tokenization solution that can scale with their business and offer the proper balance between ease of use and meeting business needs.

What trends are emerging in cyberattacks, and how can companies protect their environments, employees, partners and customers against them?

Clearly, the last few years have seen a significant uptick in ransomware attacks, which is now a multi-billion-dollar-a-year industry and likely not going anywhere for the foreseeable future. Sensitive data should always be encrypted or tokenized at rest to prevent data exposure from these types of attacks, and organizations must implement an effective backup strategy, preferably offline, to mitigate the effectiveness of this type of attack.

Another emerging trend is cloud security, which according to Gartner is the cyber market segment forecast to have the highest growth over the next two years. With businesses moving more and more of their services to the cloud, adversaries will likely be focusing their time and resources on this area. Implementing a zero trust framework for cloud environments, where users are authenticated, authorized, and continuously validated for security is an effective security strategy for cloud access.

Supply chain attacks have also dominated the headlines over the last couple of years. From the Solar Winds hack to other high-profile attacks like Okta, we're beginning to see an increase in sophisticated attacks on software and systems relied on by hundreds or even thousands of companies. As companies rely more and more on third-party software/systems, this is a concerning emerging threat.

Organizations must perform due diligence on all third-party software providers, subscribe to mailing lists and stay up to date with vendor security notifications. They must also have an effective business continuity and incident response/recovery plan in the event something does go wrong.

Training is another key component. It's important to remember that phishing is one of the top causes of data breaches. According to Verizon's breach report, 82 percent of all data breaches involve human interaction. Employees should be reminded frequently of things to look out for and appropriate measures to take when anything out of the ordinary occurs.

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.