The Green Sheet recently sat down with Brent Johnson, Bluefin’s CISO, to discuss the importance of PCI-certified point-to-point encryption (P2PE) and tokenization and the role these technologies play in data protection.
The discussion focuses on “devaluing the data” – the process of rendering payment and sensitive data useless in the event of a data breach – which can be used during data transmission and storage via encryption and tokenization.
Johnson recommends a security strategy that includes using “P2PE as-a-service” for data tokenization, minimizing data usage and flows, and employing both encryption and tokenization for comprehensive protection. Additionally, employee training is crucial, especially when using tokenized data, to ensure employees understand the difference between original and tokenized data.
Johnson’s take also emphasizes that businesses should find a tokenization solution that can scale with their business and offer the proper balance between ease of use and meeting business needs. However, there are some common mistakes organizations make implementing advanced tokenization and P2PE technologies.
One mistake is confusing PCI’s validated P2PE solution with less secure end-to-end encryption (E2EE). P2PE has specific requirements and controls that must be met, including third-party security audits and device validation, whereas E2EE has no such requirements.
Another common mistake when implementing P2PE is not understanding the basics of tokenization and what type of tokenization solution is best for your business. Organizations should look for a solution provider that offers flexibility of token type and ease of use.
The article also discusses emerging trends in cyberattacks and how companies can protect their environments, employees, partners, and customers against them.
“Clearly, the last few years have seen a significant uptick in ransomware attacks, which is now a multi-billion-dollar-a-year industry and likely not going anywhere for the foreseeable future. Sensitive data should always be encrypted or tokenized at rest to prevent data exposure from these types of attacks, and organizations must implement an effective backup strategy, preferably offline, to mitigate the effectiveness of this type of attack,“ says Johnson.
Cloud security is another growing concern, and a zero-trust framework can help mitigate risks in cloud environments. Supply chain attacks targeting third-party software and systems pose a significant threat, and organizations should perform due diligence on software providers and have robust incident response plans.
Training employees to recognize and respond to phishing attacks is also crucial in preventing data breaches.
“It’s important to remember that phishing is one of the top causes of data breaches. According to Verizon’s breach report, 82 percent of all data breaches involve human interaction. Employees should be reminded frequently of things to look out for and appropriate measures to take when anything out of the ordinary occurs.” (Johnson)
Bluefin offers a PCI-certified point-to-point encryption (P2PE) solution to protect cardholder data during transmission from the moment a card is used at a payment terminal until it is decrypted at Bluefin.
Read The Green Sheets’ recap of Johnson’s interview here.