The rise in the data economy has meant that the most personal of consumer information, including passports, drivers’ license numbers, and dates of birth, are routinely being entered alongside online payments.
Cybercriminals are experts in monitoring consumer data – and data leaks and cybercrimes continue to increase. In 2017, data compromises hit an all-time high, exposing 2.3 billion data files on the internet that contained business IT system access credentials, customer passport data, bank records and medical information. Fast forward to 2022, when the Identity Theft Resource Center (ITRC) reveals that data leaks and cybercrimes associated with actions on the dark web have increased 23% over 2017’s record year.
While a credit card number can fetch $120 on the Dark Web, full medical records can garner $1,000. And once in a fraudster’s hands, the uses of personal data are endless, from identity theft to insurance scams to fraudulent loans and mortgages.
While tokenization has been around for over 20 years and was primarily designed to secure credit and debit cards, it has become an even more important technology as companies look to meet data privacy regulations and “mask” sensitive personal, financial and healthcare data.
In this two-part blog series, we first explored how tokenization applies to cardholder data (CHD) and Payment Card Industry (PCI) compliance. The second part of our blog details how tokenization applies to non-payment data, including Personally Identifiable Information (PII) and Protected Health Information (PHI), and helps to meet data privacy regulations.
Data privacy regulations – GDPR and CCPA
Europe’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) are two of the most well-known data privacy regulations. Enacted in 2018, GDPR’s goal is to protect the data and and privacy of EU citizens. Under GDPR law, businesses with procedures that handle personal data must be compliant with the proper safeguards to protect data (for example, using pseudonymization or full encryption where appropriate) and must use the highest possible privacy settings by default, so that the datasets are not publicly available without explicit, informed consent, and cannot be used to identify a subject without additional information (which must be stored separately). If businesses are not compliant and consumer data is exposed, they face steep fines.
GDPR was the first of the major privacy and protection laws to truly impact how companies globally collect, store, and protect consumer data, while also addressing the transfer of consumer data to businesses located outside of the EU.
Also introduced in 2018, the goal of the CCPA is to enhance consumer privacy rights and consumer data protection for California residents, and it is considered to be one of the most expansive set of state privacy laws in the U.S. Among its many stipulations, CCPA states that consumers will have the right to opt-out of personal data sharing, the right to “remain anonymous,” the right to have their personal data protected from theft, and the right to know how their personal data is being used.
While the U.S. does not yet have nationwide data privacy regulations in place – they are on the horizon with the American Data Privacy and Protection Act under draft legislation.
“We now have five states – California, Connecticut, Colorado, Utah, and Virginia – that have enacted a comprehensive privacy law. There is mounting concern from key stakeholders of the impact that this ‘patchwork’ of laws will have on consumers and businesses. At the same time, without a federal privacy law the United States is being left out of the conversation at a global level as Europe and China seek to lead the world in defining the privacy protection framework.” Lucy Porter, Brittney E. Justice, The National Law Review.
What information is defined as “sensitive” or “personal”?
Both GDPR and CCPA define personal information as information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household including, but not limited to:
- A real name or alias, signature, or physical characteristics or description
- Postal address or telephone number
- Unique personal identifier, account name, online identifier Internet Protocol address, or email address
- Education and employment, including employment history
- Social security number, driver’s license number, state identification card number, passport number, or other similar identifiers
- Medical information or health insurance information
- Bank account number, credit/debit card number or any other financial information
It is important to note that GDPR maintains a much broader definition of “personal information,” which can even include attributes such as mental, cultural, or social identity. But the core differences between GDPR and CCPA involve the scope of the laws and the jurisdictional reach of both.
How does tokenization relate to PHI and PII protection?
As discussed in our previous blog, tokenization is the process of removing sensitive information from your internal system — where it’s vulnerable to hackers — and replacing it with a one-of-a-kind token that is unreadable. Usually, a random sequence of numbers and symbols, tokenization masks valuable card data, PII, PHI and banking information, rendering sensitive data useless, even if hackers manage to breach your system.
While data privacy regulations do not mandate the type of technology adopted to secure data, they both discuss pseudonymization and encryption as relevant data security measures.
- Pseudonymization encodes personal data with artificial identifiers such as a random alias or code. While pseudonymization is a “false” anonymization because the data can be linked back to a person, the personal identifiers are stored outside of the company’s system or network. These personal identifiers would be required to re-identify the data subject, thus making it a secure practice. Tokenization is an advanced form of pseudonymization.
- Encryption renders data unintelligible to those who are not authorized to access it. Data encryption translates data into another form, or code, so that only those with access to the decryption key can read it.
One reason for tokens’ increasing use for sensitive, personal information is that they are versatile – they can be engineered to preserve the length and format of the data that was tokenized. Tokens can also be generated to preserve specific parts of the original data values; by adapting to the formats of conventional databases and applications, tokens can eliminate the need to change the database scheme or business processes. Organizations can treat tokens as if they were the actual data strings.
What are the benefits of tokenization for data privacy?
By employing tokenization as part of their data security program, businesses can achieve a number of benefits:
- Secures Data. Tokenization solutions have expanded beyond their original use in securing credit card information. They are now used to protect any industry that handles sensitive data, including social security numbers, birthdates, passport numbers, and account numbers – only accessing clear-text values when absolutely necessary.
- No Storage Requirements. Tokenization systems remove sensitive data from a business system, replacing it with an undecipherable token. The original data is then stored, processed and transmitted in a secure cloud environment—separated from the business systems.
- Cloud-based tokenization. Vaultless tokenization solutions have made the implementation of tokens more accessible than ever before. A streamlined process maintains the highest levels of security while offering a seamless solution managed in the cloud.
- Meet Compliance and Regulations. Using tokenization, companies significantly reduce the amount of data collection they store internally, translating into a smaller data footprint, meaning fewer compliance requirements and faster audits.
How do I select a payment tokenization solution?
Many providers offer tokenization for payment security, but one of the biggest considerations is the type of system – vaulted or vaultless. Vaultless tokenization systems are capable of handling large amounts of data and do it at a faster pace – in other words, the system is much more scalable with reduced latency. These systems are also generally considered to be more secure than their vaulted counterparts.
Bluefin’s ShieldConex® offers a vaultless, cloud-based approach to tokenization, returning the tokenized data to the client for storage. With no limit to the amount of data that can be tokenized, ShieldConex secures all CHD while also providing tokenization for PII, PHI, and ACH account data entered online.
ShieldConex does not store any of the original data – it is always tokenized and returned to the client, mitigating any data sovereignty issues. Additionally, there is no vault to lead to performance issues, and de-tokenization requests are returned instantaneously to the client.