Big data is everywhere. All industries need it, and with the rise of digital technology and the number of people producing and sharing data, the market has seen big data analytics skyrocket. By analyzing all types of information, organizations can make informed decisions regarding products and services while improving overall effectiveness and efficiency.
This wholesale transformation has also made its way to the finance sector, with payment service providers (PSPs) adapting to this change for the benefit of their customers. However, with societal concerns over how data is being acquired, used and protected, promoting security and meeting data compliance regulations has become vital to modern businesses.
Don’t break the law
Regardless of where a PSP may operate, there are a host of data protection laws and regulations that must be followed. For PSPs in particular, there are two that stand out above all: the European General Data Protection Regulation (GDPR) and the Payment Card Industry Data Security Standard (PCI DSS). Created by the European Commission, GDPR is focused on handing the privacy controls back to the consumer by addressing how organizations use, store, collect and protect personally identifiable information (PII).
While the PCI DSS, formed by some of the world’s leading credit card issuers like VISA, MasterCard, Discover and American Express, is a set of policies and procedures designed to effectively secure credit, debit and cash card transactions and prohibit any misuse of sensitive information.
Both differ in certain areas but the core reason they both exist is to safeguard sensitive data and to ensure organisations notify victims of a breach in a timely fashion. Failure to meet the blueprint of these regulations will result in hefty penalties. If it hasn’t been drilled into companies enough over the past two years, as a reminder: for GDPR non-compliance, fines of up to 20 million euros or 4% of the businesses annual turnover/revenue will be enforced. Whereas, merchants will be issued with a fine of $500,000 for a security incident under the PCI DSS. Indeed, such penalties could result in serious setbacks or even bankruptcy for some companies, while also black marking them among current and new customers.
A lax approach will not suffice and therefore, it’s critical PSPs that collect or handle sensitive information must implement data governance that utilises security controls throughout the data lifecycle. This starts with strong leadership from the executive board level who understand the key issues. Still, many see security as an afterthought, resulting in a limited view on how and where personal information is being protected within systems. Due to the connected nature of nearly every modern business, it’s worth remembering that data is at constant risk across every information ecosystem.
Moreover, if a company is found mishandling or misusing personally identifiable information or if it has not placed stringent security protections on that data, then they will have failed in meeting the set standards of both GDPR and PCI DSS. To help reduce the workload to meet such demands, PSPs can adopt a security strategy that includes cross-regulatory compliance.
Security that helps compliance
We often hear that compliance does not equal security; and this is true. However, the two can prove mutually beneficial if taken on as a continuous process. In order to protect and secure the data, one must first understand it. More often than not, data is on the move. Because of this, security must move with it. If information sits statically in a database, then encryption could provide a degree of protection. However, if the encryption keys are not adequately protected themselves, it won’t be long before hackers can get ahold of them, decrypt and exfiltrate information, causing a security nightmare.
Protection that follows the Data
Realistically, with the way PSPs operate, many have databases across various geographical locations linked to on-premises and cloud infrastructures. Ultimately, a data-centric security approach is ideal as it will demand the business to prioritize both data security and regulation compliance while at the same time, reduce the overall risk of cyber threats for the entire security perimeter.
Initially, many sought solace in encryption technology without realizing that this is an example of an outdated data protection method unfit for the way modern businesses work. The reason being, once a hacker has their hands on the encryption key, the algorithm is then public and all they need to do from there is to match the right algorithm with the relevant encryption key. Furthermore, encryption mainly protects sensitive information at rest, leaving it unguarded when the data is in use or in motion – a highly probable scenario in most organizations today.
This is where tokenization comes into play as it can address the failings of encryption. With tokenization, the original data is replaced by place-holder text that has been generated at random. Also, there is no algorithm for hackers to reverse engineer to find the original information. It is widely accepted that hackers entering a system is now “a matter of when and not if.”
So, under this basis, if a hacker was successful and gained access to the tokenized data, it would still be protected as the information would have no exploitable value. So, tokenization supports both GDPR compliance as hackers will be unable to obtain actual details of EU citizens, and PCI compliance as consumers financial details are left unreadable and secured.
With GDPR and PCI DSS setting the data protection guidelines for many around the world, it is high time that boardroom executives seek out a data-centric approach to security which has a sole focus on protecting the data in all its forms. With tokenization security, PSPs will have the confidence knowing that not only are GDPR and PCI DSS compliance being met, but also that the business security obligations are also being carried out while letting employees get on with their work unimpeded.