Protecting sensitive data has become a priority for many organizations, especially as they see the associated costs of a data breach. However, the payment card industry has taken a strategy of building protection directly into the data itself from the moment the sensitive data is captured. It arrived at this methodology because it needed a more cost-effective solution for protecting card data and keeping it protected at all times, and because many of the perimeter security methods or resource intensive security mechanisms were failing. These are valuable lessons when it comes to protecting any form of sensitive data.
Here are the main lessons that the payment industry learned for protecting data:
- Sensitive data (card data) should be encrypted as soon as it is captured
- The protection of the data should be baked into the data itself (through proper key management and proper encryption algorithms)
- The data should remain encrypted until such time as the data is needed by an authorized party
- The data should be able to be stored anywhere and transported anywhere while remaining protected
The remainder of this article will give some history about the introduction of these learnings into the payment industry’s PCI point to point encryption (P2PE) security standard and how these lessons can be implemented for all sensitive data stored on-premises or in cloud, inside databases or files.
Before the introduction of EMV chip payment cards in the world, most of the world performed card transactions using a technology that involved encoding data onto a magnetic stripe on the back of the cards. EMV introduced a new way to store data on cards using a small computer chip which improved security, but only to stop the easy reproduction of cards, not protecting the data.
As malicious actors moved their focus away from the production of cards to the harvesting of card data, their methodologies shifted to sniffing network packets, data lines for connectors, replacing devices with new devices that had Bluetooth for data extraction, and other ways of harvesting the data. To address this, the card brands invented a security standard that merchants had to abide by under a standard called Payment Card Industry (PCI) Data Security Standard (PCI-DSS). This focused on perimeter security and other methods for inspection of devices and control of custody. However, the malicious actors continued to find gaps in these security measures, and the actual implementation of PCI was difficult when there were periods of turnover or the right resources were not available.
Finally, the payment industry decided that the right way to make sure that the data could not be harvested was to make sure it was encrypted as soon as it was presented to the device. This made the footprint of what needed to be managed very low because it was all built into the card reader. This was the basis in the card payments industry for the ideas of end-to-end encryption, and later led to the Point-To-Point Encryption standards (now PCI-P2PE) which provided the best way to protect data. It was so thorough and effective, that the PCI organization loosened the PCI-DSS standard for merchants who went through a P2PE certification. What this does is to protect the data at the very point it is read and is then only decrypted by the point that was meant to see the data. This technology is being rolled out across the world for the payment card industry to provide better protection and keep payment costs lower.
This technology was the genesis of OnData’s methodology for protecting all kinds of sensitive data in databases and files, beyond the card data. The OnData solution protectively protects the sensitive data, leaves it encrypted at all times, and ONLY decrypts it when an authorized person on an authorized device should see the data. With a simple cloud application and local client / driver installation, you can rest assured that your sensitive data is protected at all times, no matter where it is stored or how it is transported. This platform was developed using lessons learned from the payment industry and applying it to the way ALL SENSITIVE DATA should be protected.
OnData’s solution takes these lessons and applies it to all your sensitive data including:
- Protecting data when it is created (or as soon as you would like to protect it)
- Bakes the protection into the data itself
- Does not decrypt the data until it is needed by an authorized party on an authorized device
- Protects the data at all times: no matter where it is stored, no matter where or how it is transported
Just like PCI-P2PE reduces the protections needed by PCI-DSS because the card data is always protected, OnData reduces the complexity on data protection and helps cut costs on siloed security controls when the sensitive data is strongly protected by OnData at all times.