Stay in Touch
Sign up to our newsletter to stay informed about PCI compliance news, and updates regarding new PCI Booking features.
by PCI Booking – October 28, 2021
Our lives are interwoven with the digital world, and our personal data footprint helps us to navigate websites, pay for services and products, create online accounts, and so on. It would be a rare individual that does not have a data footprint. Every website we use, any cloud app we access, every time we pay for something or apply for an online loan, etc., we leave behind a trail of data breadcrumbs. These data footprints form part of our digital lives, who we are, where we visit on the web, what we like, our contacts, and so on; these digital data form a pathway along the road of our online life.
But this footprint comes at a cost. Data is valuable to anyone who makes use of it, this includes retailers, banks, our customers, and… cybercriminals.
To create and maintain good customer experiences, a retailer often requires that an individual creates an account at their website alongside making purchases. The account helps to streamline future purchases and helps to build a relationship with the vendor. To create the account the retailer collects personal data, typically name and address, sometimes date of birth; financial data may also be collected and sometimes stored. This collection of personal data may be a basis for good customer relations, but it also creates a perfect honeypot for cybercriminals.
If you go to a site called “HaveIBeenPwned” and enter an email address or phone number, you can see if this email or number has been stolen in a data breach. Chances are, any given email address will be up for sale, alongside other personal data, on a dark web marketplace. Data breaches are the stuff that makes the world of cybercrime work. Cybercriminals target data using a variety of mechanisms, such as phishing, ransomware, and account takeover. This targeting is successful, with 37 billion data records stolen in 2020, an increase of 141% over 2019. Digital fraud is driven by identity data. In 2020, identity fraud caused US consumers over $48 billion in losses.
Cybercrime feeds off data, but data is needed for a modern business to ensure the smooth operation of web services and to offer a great customer experience. How can the average retailer square this round and reduce the data footprint needed to operate well?
Industry attempts to address this situation using a variety of security measures. However, one of the best ways to increase data security is to reduce the data footprint.
Digital data, of the sort that forms a data footprint, is held within disparate apps and devices, in email clients, and web servers. Data is often stored in relational or non-relational databases. This complex web of layers of data and storage types makes securing these data difficult. Lack of data visibility is one reason that means that the most appropriate security methods are simply not applied. This disparate and uncoordinated collection of data also causes headaches for meeting the stringent requirements of privacy and security regulations such as the EU’s GDPR, the UK’s DPA2018, and various U.S. regulations such as the CCPA (California Consumer Privacy Act).
By applying some rules based on the principles of Data Privacy by Design and Default (DPbDD), an organization can ensure secure storage of any data they must collect.
The principles of Data Privacy by Design and Default (DPbDD) are used to minimize the data footprint needed by a retailer to maintain security and privacy, whilst continuing to offer an exceptional customer experience. Certain key tenets can be applied to ensure that any system or service is designed with privacy and security in mind.
The design of systems and services must be a privacy-first approach to ensure that regulations are adhered to, and that data is secured:
When designing a consumer-facing system keep in mind the ‘minimal data set’ needed to operate. If you don’t need the data, don’t ask for it. Extra bits of data mean extra storage needs and extra security considerations. Minimizing the data you must collect, comes down to only taking the information you absolutely need to process a transaction. For example, if you don’t need to know the marital status of an individual don’t ask for an honorific (e.g., Mrs.). If you need to know if a customer is over 21 for an age-restricted product, ask for proof of age over/under rather than a date of birth.
When personal or sensitive data is pseudonymized, the software is used to replace identifying data with a pseudonym. Regulations such as the GDPR mention pseudonymization as an accepted method of protecting personal data. There are a variety of pseudonymization techniques, some are more heavyweight than others. ENISA suggest a ‘risk-based’ approach to the application of pseudonymization when protecting personal data, stating that companies should “consider the implementation of pseudonymization following a risk-based approach, taking into account the purpose and overall context of the personal data processing, as well as the utility and scalability levels they wish to achieve.”
However, pseudonymization can be a complicated and process-heavy option to protect data: an alternative is data tokenization.
A viable alternative to pseudonymization for enhancing data privacy and adding in additional layers of protection is data tokenization. Once you have determined what the minimal data set needed to operate is, you should then look at how to protect that data and where to store it. Tokenization is a data-centric security approach that takes personal and financial data and replaces the data with a software token made up of unique symbols. A data tokenization system is designed to allow secure access to data by legitimate persons, whilst ensuring that cybercriminals do not have access.
Even a minimal data set needs access control; a tokenized approach to data security protects consumers’ data footprints. By then building tokenization into a Zero Trust platform, that is based on robust authentication and verification of a user to access secure storage, a service creates a highly secure system.
Cutting back on data is a little like giving up anything; it can be hard to do at first, but by using a helping hand it can be achieved. In the case of data, minimizing your data intake is the first step to reducing a data footprint. But some personal data will always be needed to allow a retailer to operate effectively. The key to keeping these data safe from the hands of the cybercriminal is a tripartite approach: only collect what you need, tokenize any data collected, and outsource these data to secure storage.
Remove the complexities. We help you reduce your data footprint, allowing you to scale faster and easily expand to new markets, keeping you one step ahead of your competition.