Cyber threats are rapidly evolving and breaches are on the rise. That makes compliance with the Payment Card Industry Data Security Standard (PCI DSS) ever more critical for organizations handling sensitive payment card data. A key aspect of this framework is safeguarding data at rest – but the requirements are changing. Disk- or partition-level encryption is no longer permissible to protect non-removable electronic media.
So, what should complying organizations do? Among the options available to them, tokenization beats transparent data encryption (TDE) for several reasons.
PCI DSS Requirement 3.5.1.2 specifically addresses the limitations of disk encryption. It states:
“If disk-level or partition-level encryption (rather than file-, column-, or field-level database encryption) is used to render PAN unreadable, it is implemented only as follows:
OR
(Source: PCI DSS)
Put simply, disk-level or partition-level encryption is no longer sufficient for protecting PANs stored on non-removable media.
So, what are the main differences between tokenization and TDE?
TDE is used to encrypt database files at the storage level. It encrypts the entire database, including backups and transaction logs, rendering them unreadable to unauthorized users. While TDE provides a layer of security, it is transparent to the application, meaning that authorized users and applications can access and decrypt the data seamlessly.
Tokenization is a process that replaces sensitive data elements, such as credit card numbers, with a non-sensitive equivalent called a token. The token has no exploitable value or meaningful relationship with the original data. When the original data is needed, an authorized application can request the clear text element.
There are two tokenization approaches – vaulted and vaultless. When it comes to data security, vaulted tokenization – where sensitive data is stored in a secure database (vault) – is considered outdated compared to vaultless. The latter eliminates the need for a central storage system by replacing sensitive data with unique tokens directly using deterministic algorithms or cryptographic functions.
Consider the following:
Since tokens are not derived from the original data and have no inherent meaning, they are useless to attackers. Even if a malicious actor obtains the tokens, they cannot reverse-engineer them to retrieve the original data, without access to the deterministic algorithms or cryptographic functions. But with TDE, if an attacker gains access to the database server and the encryption keys, they can potentially decrypt and access all the stored data.
TDE inherits user permissions from the database server, meaning it encrypts data at the storage level but relies on existing database management system (DBMS) roles to control access. Thus, access to encrypted data is governed by the same user roles and permissions set up in the DBMS.
However, tokenization doesn’t rely on DBMS roles and permissions. Instead, it uses a central access system to allow better, more granular access control. This provides more consistent and efficient security management and reduces the risk of misconfiguration.
With tokenization, the areas that store, process or transmit cardholder data are minimized – since tokens do not contain any sensitive information and the tokenization engine is isolated from the database and application server. This can reduce compliance costs and the number of controls required, and simplify audits. However, TDE can’t reduce the scope, since it is implemented on a database server, can decrypt the data, and therefore technically has access to the data.
While TDE encrypts data at rest on a specific database, it doesn’t cover data in use or in transit. On the other hand, tokenisation keeps sensitive data protected in all states and wherever it flows, ensuring that even if data is intercepted during processing, only tokens are exposed. Clear text data can be exposed to authorized users only if absolutely necessary. It also preserves data utility for business workflows and applications, supporting operational efficiency and innovation.
Tokenization provides a more robust and sustainable solution for organizations looking to comply with PCI DSS requirements. It not only meets the standard’s security mandates, but also offers enhanced protection against attacks, reduces compliance scope and costs, and minimizes the risk of data breaches. That in turn reduces the risk of costly non-compliance penalties and helps to build customer trust.
Instead of solely securing the systems that store or process sensitive data, comforte empowers organizations to protect the data itself—everywhere, always, and permanently.
Our data-centric security platform discovers sensitive data elements and replaces them with non-sensitive placeholders meaningless to attackers while preserving their utility for processing and analytics. Our solutions help organizations mitigate the risks of data breaches, enable secure data utilization across business applications, and reduce the complexity of compliance with stringent regulations such as PCI DSS or GDPR.
Click the button below to download the solution brief for our Data Security Platform:
Cyber threats are rapidly evolving and breaches are on the rise. That makes compliance with the Payment Card Industry Data Security Standard (PCI DSS) ever more critical for organizations handling sensitive payment card data. A key aspect of this framework is safeguarding data at rest – but the requirements are…
Of all the business risks facing organizations today, cyber-attacks were recently highlighted by executives as the most serious. That’s a heartening sign that awareness levels at the very top are at least improving. But it’s too soon to get carried away. In fact, separate research reveals that many organizations still treat security as…
The answer is really simple, right? Governments pass laws that mandate certain rules be followed and infuse a punitive measure for those people or organizations not in compliance with the regulation in question.
Agile development is known for well-paced development cadences with short, quick sprints. These fast bursts are typically focused on ensuring something of value (functioning code) gets done in a short amount of time, allowing for new features and functionality to be available in the product on a regular basis. As opposed to the traditional, slower forms of software development, with releases methodically planned and executed over many months or even years, Agile keeps the focus on speed, user feedback, and iterative refinement.
It might be hard to imagine, but it has been three years since the General Data Protection Regulation (GDPR) was implemented in the European Union (EU) on 25 May 2018. Time certainly does fly by when you are trying to protect data. Nevertheless, the term ‘GDPR’ has set a precedent on what is to be expected from organizations when it comes to protecting personally identifiable information (PII) of EU data subjects and has served as the foundational inspiration for many international data security regulations.
Nacha is a non-profit organization that convenes hundreds of diverse organizations to enhance and enable electronic payments and financial data exchange within the U.S. and across geographies. Through the development of rules, standards, governance, education, advocacy, and in support of innovation, Nacha’s efforts benefit the providers and users of those systems. Nacha leads groups focused on API standardization, authors the Quest Operating Rules for EBT, and is the steward of the ACH Network, a payment system that universally connects all U.S. bank accounts and facilitates the movement of money and information. In 2020, nearly 27 billion payments and close to $62 trillion in value moved across the ACH Network.
What Is Hybrid IT? At its most basic level, hybrid IT is a blend of cloud-based and on-premises IT services.
When applications and data were all maintained on-premises (or in-house) standardization was a best practise and security was much simpler. Now that the business and IT are realising the benefits of cloud services, hybrid IT is the common strategy. The new benefits of agility and flexibility brought by hybrid IT come at a cost… How do we keep these more vulnerable applications and data secure?
The recent news about a proposed bill to create a central data privacy enforcing body shines another spotlight on the high-risk, high stakes shifting ground that many businesses operate their engines of growth on – consumer data collection, analysis, and retention.
Whether your company accepts payments at a store or restaurant, sells products or services through a website, or handles monthly payment billing, you or someone at your company is most likely aware of the security requirements of the Payment Card Industry Data Security Standard (PCI DSS). Each calendar year, your organization needs to prove that it complies with the 12 requirements listed under PCI DSS. Often, this process is time consuming, costly, and involves key people primarily focusing on assessing, verifying, and completing the compliance audit.
In today’s world of round-the-clock online business and commerce, data is everywhere. Data has become your superpower, even more so when it’s protected data.
As many users of HPE NonStop systems are processing a large amount of sensitive or mission-critical data it is paramount that such data is protected in the best possible manner.
The challenge that many organizations are facing is that the isolated databases of old have evolved dramatically and so has the need for appropriate data protection and security.