At PCI London 2018, TokenEx Solutions Architect John Noltensmeyer presented modern strategies and methodologies for using cloud-based tokenisation and pseudonymization to ease GDPR burdens. For more information visit www.tokenex.com or contact sales@tokenex.com.
Security Beyond Compliance: Using Tokenisation for Data Protection by Design and by Default
1. PCI London
05 July 2018
John Noltensmeyer
Head of Privacy & Compliance Solutions
TokenEx
2. INT RO DUCT ION
Security Beyond Compliance
Using Tokenisation for Data Protection by Design and by Default
3. SET T ING T HE STAG E
Compliance Climate
Compliance Challenges
Data-Centric Strategies
Data Protection Technologies
Cloud-Based Versus On-Premise Solutions
Tokenisation Implementation
Tokenisation for Pseudonymisation
6. DATA - CENT RIC ST RAT EG Y
DATA
APPLICATION
SYSTEM
NETWORK
INTERNET
• Traditional perimeter strategies for data
security do not work. The focus is on the
wrong assets.
• Focus on reducing risk to data first.
• When data is not present, desensitised, or
otherwise de-identified, a data-centric
strategy can be considered successful.
7. DATA PRO T ECT IO N T ECHNO LO G IES
Minimisation Tokenisation/Pseudonymisation
Data Hashing/Masking Encryption
DataUtility
Data Protection
Max
Utility
Min
Utility
Min
Protection
Max
Protection
8. BENEF IT S O F TO KENISAT IO N
• PCI scope reduction
• GDPR compliance
• Risk reduction – sensitive data removed
• Facilitates use of de-identified data in business
systems
• Support for multiple data sets
• Protection for data in transit and at rest
• No key management
• Mathematically unrelated to original data
• Multi-use tokens
• Single-use tokens
• Format preserving tokens
• Custom token formats
9. CLO UD - BASED VERSUS O N - PREMISE SO LUT IO NS
On Premise Tokenisation
• Limited PCI DSS scope reduction - must
maintain a CDE
• Higher risk – sensitive data still resident in
environment
• Personnel and hardware costs
Cloud-Based Tokenisation
• Significant reduction in PCI DSS scope
• Reduced risk – sensitive data removed from the
environment
• Platform-focused security
• Lower associated costs – cyber insurance, PCI
audit, maintenance
CDE
10. TO KENISAT IO N IMPLEMENTAT IO N
• Identify organisational compliance obligations
• Identify all sensitive data sets
• Catalog associated systems and data acceptance
channels
• Perform a risk analysis
• Consider all sensitive data transfers to 3rd parties
(secondary use)
• Map the data across the organisation
Implementation Roadmap
11. TO KENISAT IO N F O R PSEUDO NYMISAT IO N
Pseudonymisation Under the GDPR
• Article 4 – Definitions - processing personal data in such a
manner that the data can no longer be attributed to a specific
data subject without the use of additional information, provided
that such additional information is kept separately
• Article 25 – Data protection by design and by default - "the
controller shall...implement appropriate technical and
organisational measures, such as pseudonymisation"
• Article 32 – Security of processing – “implement appropriate
technical and organisational measures” including
pseudonymisation”
12. TO KENISAT IO N F O R PSEUDO NYMISAT IO N
Benefits of Pseudonymisation
• Recital 29 – “incentives to apply pseudonymisation”
• Article 6 – Lawfulness of processing - in order to ascertain whether processing for another purpose [besides consent] is compatible
with the purpose for which the personal data are initially collected, take into account, inter alia...the existence of appropriate
safeguards, which may include encryption or pseudonymisation.
• Article 33 - Notification of a personal data breach to the supervisory authority – “In the case of a personal data breach…notify the
personal data breach to the supervisory…unless the personal data breach is unlikely to result in a risk to the rights and freedoms of
natural persons.”
13. CHARACT ERIST ICS O F AN IDEAL SO LUT IO N
• Supports all data sets
• Completely removes sensitive data from
your environment
• Maximizes compliance scope reduction
• Supports your acceptance channels
• Supports “business as usual “
processes
• Supports sharing data with 3rd parties
14. CUSTO MER SUCCESS: T HE O RVIS CO MPANY
Customer Profile
• Multi-Channel Retailer
• UK – 18 Retail
• US – 69 Retail, 10 Outlet
• 500 Dealers Worldwide
Landscape
• Payment Card Data (PCI)
• Privacy Data (GDPR/PII)
• Europay, Mastercard, and Visa
(EMV)
• CNP Fraud Prevention
Environment
• Omni-Channel Retailer
• Multiple Data Sets
• Multiple Vendor/Partners
• Employees in both UK/US
• Multiple Facilities
Lessons Learned
• Understood Compliance/Control Landscape
• Engaged Professionals/Experts Early & Often
• Developed Long-Term Compliance/Fraud Strategy
• Prioritised Technology Deployment
• Phased Tokenisation Implementation