Continuous PCI and GDPR Compliance With Data-Centric Security describes how to develop a data security environment that is GDPR and/or PCI DSS compliant by utilizing tokenisation to pseudonymize sensitive data. Contact: Sales@tokenex.com
Continuous PCI and GDPR Compliance With Data-Centric Security
1. PCI London
24 January 2019
John Noltensmeyer
ISA, CISSP, CIPP/E/US
Privacy & Compliance Solutions
TokenEx
jnoltensmeyer@tokenex.com
2. I NTR ODU C TI ON
Continuous PCI and GDPR Compliance
With Data-Centric Security
3. S ETTI NG TH E S TAG E
Compliance Climate
Compliance Challenges
Data-Centric Strategies
Data Protection Technologies
Tokenisation Versus Encryption
Pseudonymisation Defined
Continuous Compliance
5. C OMP LI ANC E C H ALLENG ES
Rationalizing Data Protection Requirements
6. DATA-C ENTR I C S TR AT E G Y
• Focusing on traditional perimeter strategies for data security does not work unless these
systems perform correctly 100% of the time.
• Focus on the data first.
• A data-centric strategy consists of
multiple components:
• Minimisation – you don’t have to protect
what you don’t collect or store
• Deidentification (pseudonymisation)
or devaluation
• Encryption
DATA
APPLICATION
ENDPOINT
NETWORK
PERIMETER
7. DATA P R OTEC TI ON TEC H NOLOG I ES
Minimisation Devaluation/Pseudonymisation
Data Hashing/Masking Encryption
DataUtility
Data Protection
Max
Utility
Min
Utility
Min
Protection
Max
Protection
8. TOKENI S ATI ON
Tokenisation, replacing a sensitive data element such as a credit card PAN with a non-sensitive equivalent, is a common
approach to devaluing cardholder data.
Tokenisation Reduces PCI Scope
• Tokens are not in scope for PCI DSS
• Network segmentation can be difficult and expensive
• Increases the likelihood of maintaining PCI compliance
between annual assessments
Tokens Are Flexible
• Length/format preserving
• No key management like encryption
• Enables business as usual processes
Tokenisation Does Not
• Take you completely out of PCI DSS scope
• Make you less responsible for your data
• Help with data availability
• Stop network breaches
9. ENC R Y P TI ON V S . TOKE NI S AT I ON
What is the difference?
• Encryption - A data security measure using
mathematic algorithms to generate rule-
based values in place of original data
• Tokenisation - A data security measure
using mathematic algorithms to generate
randomized values in place of original data
Encryption alone is not a full solution
• With encryption, sensitive data remains in
business systems. With tokenisation,
sensitive data is removed completely from
business systems and securely vaulted.
Tokens are versatile
• Format-preserving tokens can be utilised
where masked CC information or masked
PII is required
10. P S EU DONY MI S ATI ON
Pseudonymisation Under the GDPR
Within the text of the GDPR, there are multiple references
to pseudonymisation as an appropriate mechanism for
protecting personal data.
Pseudonymisation—replacing identifying or sensitive data
with pseudonyms, is synonymous with tokenisation—
replacing identifying or sensitive data with tokens.
Article 4 – Definitions
• (1) ‘personal data’ means any information relating to an
identified or identifiable natural person (‘data subject’);
…such as a name, an identification number, location
data, an online identifier…
• (5) ‘pseudonymisation’ means the processing personal
data in such a manner that the data can no longer be
attributed to a specific data subject without the use of
additional information, provided that such additional
information is kept separately…
11. P S EU DONY MI S ATI ON
Using Tokenisation for Pseudonymisation
12. P S EU DONY MI S ATI ON
GDPR Article How Tokenisation Can Help
Article 6 – Lawfulness of processing
6(4)(e) – “the existence of appropriate
safeguards, which may include encryption or
pseudonymisation."
If you are a data controller who has a valid reason--other than consent from the
data subject--for the processing of his or her personal data “for a purpose other
than that for which the personal data have been collected”, Article 6(4)(e)
obligates you to use “appropriate safeguards, which may include encryption or
pseudonymisation."
Article 17 – Right to erasure (‘right to be
forgotten’)
“The data subject shall have the right to
obtain from the controller the erasure of
personal data concerning him or her without
undue delay…”
Article 17 allows a data subject to request a controller delete his or her personal
data. Under Article 12(2), pseudonymization of data may provide some relief
regarding Article 17 compliance.
Article 12(2) states that, “The controller shall facilitate the exercise of data
subject rights under Articles 15 to 22… unless the controller demonstrates that it
is not in a position to identify the data subject.”
Article 25 – Data protection by design and
by default
“…the controller shall, both at the time of the
determination of the means for processing
and at the time of the processing itself,
implement appropriate technical and
organisational measures, such as
pseudonymisation, which are designed to
implement data-protection principles....”
The GDPR requires “data protection by design and by default.” Article 25(1)
specifically obligates controllers to “…implement appropriate technical and
organisational measures, such as pseudonymisation.”
Pseudonymised personal data presents a lower risk, thus possibly reducing the
number of additional security measures required to meet this obligation.
Full Solution Partial Solution
13. P S EU DONY MI S ATI ON
GDPR Article How Tokenisation Can Help
Article 32 – Security of processing
“Taking into account the state of the art,
the costs of implementation and the nature,
scope, context and purposes of processing
as well as the risk of varying likelihood and
severity for the rights and freedoms of
natural persons, the controller and the
processor shall implement appropriate
technical and organisational measures…
Article 32(1) obligates controllers as well as processors to “implement
appropriate technical and organizational measures to ensure a level of security
appropriate to the risk,” including pseudonymization of personal data.
Article 33 – Notification of a personal data
breach to the supervisory authority
Article 34 – Communication of a personal
data breach to the data subject
The GDPR specifies requirements for notification in the event of a breach of
personal data. Under Article 33(1), a controller is required to notify supervisory
authorities of a breach within 72 hours unless “the personal data breach is unlikely
to result in a risk to the rights and freedoms of natural persons.” Similarly, Article
34(1) stipulates that data subjects must be notified “when the personal data
breach is likely to result in a high risk to the rights and freedoms of natural
persons…”
When evaluating the risk posed by the data breach, the level of pseudonymization
of the data will certainly play a role. Pseudonymised data likely presents a lower
risk thus, reducing the number of additional measures required to meet this
obligation.
Full Solution Partial Solution
14. C ONTI NU OU S C OMP LI ANC E
• Support all data sets within your environment
• Completely removes sensitive data from your
systems where possible
• Maximizes compliance scope reduction
• Enables “business as usual “ processes
• Supports all your data acceptance channels
• Supports sharing data with third parties
Compliance doesn’t end with an assessment or audit. Select solutions that:
16. C U S TOMER S U C C ES S : TH E OR V I S C OMP ANY
Customer Profile
• Multi-Channel Retailer
• UK – 18 Retail
• US – 69 Retail, 10 Outlet
• 500 Dealers Worldwide
Landscape
• Payment Card Data (PCI)
• Privacy Data (GDPR/PII)
• Europay, Mastercard, and
Visa (EMV)
• CNP Fraud Prevention
Environment
• Omni-Channel Retailer
• Multiple Data Sets
• Multiple Vendor/Partners
• Employees in both UK/US
• Multiple Facilities
Lessons Learned
• Understood Compliance/Control Landscape
• Engaged Professionals/Experts Early & Often
• Developed Long-Term Compliance/Fraud Strategy
• Prioritised Technology Deployment
• Phased Tokenisation Implementation