Merchants have long since known the importance of payment data protection, and daily reports on data breaches continue to remind them. In 2024 alone, IBM’s Cost of a Data Breach report revealed:
- Average cost of a data breach: $4.88 million, the highest ever recorded
- Average time to identify: 194 days
- Average time to contain: 292 days
- Ransomware: Roughly one-third of all breaches involve extortion techniques like ransomware
Despite awareness, data breaches remain a constant threat. Statista reported that in 2023, there were 6.06 billion attacks globally, with 3200 data breaches reported in the U.S. – up from a mere 447 in 2012. As fraud continues to evolve, how can merchants protect themselves and their customers from the threat of a breach?
This question was top-of-mind for merchants attending the MAG Payment Conference last week. Throughout the aisles of the conference as well as in the educational sessions, the term PII was often heard when discussing data protection. PII data – customer information such as a social security number, full name, email address or phone number – is increasingly gathered and stored by merchants to gain insights into consumer behavior, preferences and shopping patterns. Customers readily give out their information to sign up for services, loyalty programs and online shopping platforms. The sheer amount of PII accumulated by organizations is vast – and valuable to hackers.
Hackers steal PII to commit identity theft, sell it on the black market, or hold it captive via ransomware. IBM discovered that when ransomware was involved, the average cost of a data breach was higher, coming in at $5.13 million per breach.
Merchants must navigate a complex IT and legal landscape to maintain data privacy in the face of these attacks, which includes securing PII data. Bluefin, a pioneer in safeguarding sensitive data, MAG member and exhibitor, weighed in on the importance of PII data protection, citing tokenization as a key strategy.
“One of the leaders from Visa was speaking at a previous conference and talked about how 80% of sensitive data is standing un-tokenized and is in danger of a breach and being exposed. Every single merchant – with the amount of PII data being stored – should be taking into consideration the proliferation of massive data breaches that we see almost daily.” – Sean Gately, VP Security Solutions, Bluefin
To prove the point that breaches can affect any consumer or merchant, Gately stated that he recently received breach notifications from three large retailers that his personal data was exposed. He emphasized that merchants must consider the best strategy to protect their customer’s data, as damages to their brand, decreased customer loyalty, monetary fines and lawsuits are going to become larger and more massive.
Gately explains the two methods retailers use to thwart cyber-attacks.
“There are basically two ways that retailers can address evolving cyber threats. You can defend the data by building expensive systems to prevent hackers from breaching your network. Or you can devalue the data, leveraging encryption and vaultless tokenization technologies that render data useless to hackers when the inevitable data breach occurs.” – Gately
Tokenization – Devaluing the Data
According to PCI DSS compliance, cardholder data should be kept secure, which can be done with tokenization. The two types of tokenization – vaulted and vaultless – both replace sensitive data with non-sensitive data, but they do have their differences – Gately breaks it down.
“Vaulted and vaultless tokenization are very dissimilar from each other. The standard, traditional tokenization platform is otherwise known as vaulted. That means that all the information is basically held by whoever your token service provider is, and they are in possession of that data. As you get more and more data coming in, you have to create more space for hardware, hard drives, as well as memory space, which increasing costs exponentially and slows down the ability to access all of that data. So, if you are a large enterprise merchant and you have millions and millions of data points on you customers, it is going to create latency in regard to you accessing that data in those tokens.
To overcome the disadvantages of vault tokenization, vaultless tokenization comes into play.
The advantages of a vaultless token are that all of your data in going to be completely encrypted – you maintain all of the data on your servers – but the ability to get access that data is exponentially increased from a speed perspective because it is being held in a vaultless perspective, and it is more secure. So, if you are a merchant and you are subject to a data breach or even ransomware, what are they going to ransom? All data is completely encrypted from a hardware perspective and therefore useless for those people who are trying to steal it from you. – Gately
Avoiding Long Term Payment Multi-Processor Lock-in
Bluefin specializes in payment and data security solutions for the retail sector. PCI-validated point-to-point encryption (P2PE) solution for the protection of point-of-sale cardholder data and ShieldConex®, a vaultess tokenization platform for the online protection of PII and financial data. Combined, P2PE and ShieldConex provide the most secure and holistic solution for retail payment and data security – devaluing all data in the event of a breach.
For those large merchants using multi-payment processors, Bluefin’s ShieldConex Security Proxy Service delivers true payment processor independence while delivering significant PCI scope reduction for retail locations, card-not-present transactions, and corporate networks.
Choosing Bluefin for tokenization offers merchants:
- PII and payment data protection plus the freedom to switch payment partners at will
- Vaultless tokenization, which means you own your own data
- 120+ validated P2PE devices and 27 Key Injection Facilities – that’s 10x more than our competitors
Contact Bluefin to learn more about our vaultless tokenization solutions and devalue your data today.