Securing PII with Tokenization

PII Tokenization

PII Tokenization

What is Personally Identifiable Information and Why Is It So Valuable?

Personally Identifiable Information (PII) is defined in NIST Special Publication 800-122 as any information gathered, stored, and processed by an organization about individuals (customers, guests, clients, subscribers), including:

  • Information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, passport number, driver’s license number, taxpayer ID, financial account, or credit card number, maternal or paternal names, or legal alias
  • Information that is linked or linkable to an individual, such as medical, educational, financial, and employment information
  • Personal characteristics, including photographic image (especially of face or other identifying characteristic), fingerprints, handwriting, or other biometric data such as retina scan, voice signature, and facial geometry

However, since the term PII is widely used in different contexts in many different industries, jurisdictions, and legal settings, each organization needs to assess the types of data they need to accept, store, process, and secure. Security experts often advise, “If you don’t need it, don’t store it”. This is definitely the case with PII.

Unfortunately, PII is now center stage as the most valuable data set to steal. Using stolen PII, a cyber-criminal can build a complete virtual identity. PII data sets—such as social security, date of birth, employment history—are used to create fraudulent personas with which a fraudster can buy goods and services, open lines of credit, change bank account access, and a plethora of other illegal activities. The damage stolen PII can do to victims of data theft has caught the attention of the Federal Trade Commission, which has ruled that people can sue for long-term damages when their PII is stolen from an organization’s business systems. The consequences of PII theft are a lot more expensive and time-consuming than just shutting off a credit card account and offering free credit reporting for a year. Class-action lawsuits are becoming more commonplace for organizations that are found guilty of violating their security and privacy statements when PII goes missing.

allant case study pii

What are the PII Compliance Obligations?

Ultimately, PII is a legal term, not a technical term. When dealing with PII, legal council should be sought to determine the Federal, Country, and Region laws or industry regulations associated with the datasets being accepted, stored, and transmitted. Ultimately, regardless of specific laws or regulations which can change with geographies and governments, access to PII data should be tightly controlled, protected when stored and transmitted, and all touchpoints be auditable. Defining and adhering to a documented security control baseline helps ensure proper protection of PII data.

Beyond securing the data, an organization must also consider the incident and breach reporting requirements specific to PII exposure. Depending on the data set type and legal course of disclosure, additional reporting requirements may be necessary based on where the data is being stored and how it is being transmitted.

Failing to Protect PII Presents Risk to Your Organization

In the “old days” exposing sensitive payment card data resulted in monetary fines and penalties, followed by an exercise of extending free credit card monitoring services to the cardholders and then continuing with business as usual. With stolen PII, the repercussions are far more difficult to amend. PII data sets can be used to create fake personas based on the lives of real people, often resulting in ruined credit ratings, falsified tax returns, even home mortgages used for quick flipping schemes. Is it any wonder that an organization that is careless with PII suffers the wrath of the ultimate victims? Customer trust, corporate branding, and future business can quickly dissipate after a PII exposure.

The Ponemon Institute, an independent research organization, values the cost of each exposed individual PII record at around $178. With the average breach exposing 30,000 records, the financial risk quickly adds up. Moreover, the costs of a breach as described by the Ponemon Institute does not cover “catastrophic” breaches of over 100,000 records. Add in all the indirect costs, lawyers and lawsuits, PR damage control, and attention taken away from business, and it becomes obvious that a PII debacle exacts a heavy toll on any organization.

Federal Trade Commission Has Oversight Over PII Breaches

The FTC (Federal Trade Commission) is now the federal watchdog for data security oversight. The FTC has been able to prove that if an organization has “unreasonable data security” in place to protect their customers’ sensitive information, then they can be subject to fines, class action lawsuits, as well as a public admittance of the breach, due to the long-term damages resulting from breached PII. Moreover, some organizations found not to be in accordance can face up to a 20 year agreement that they would take the necessary steps to obtain compliance certifications. Most importantly, organizations need to implement a comprehensive data security solution that properly protects customer PII data. Tokenization and Cloud Data Vaulting for PII is an ideal solution for keeping data safe and the FTC at bay.

Benefits of Tokenizing PII with TokenEx

  • Predictable data storage overhead—the more PII you store, the lower the cost per record
  • Fully customizable PII tokenization schedule
  • Fully customizable tokenization schemes to match the data type being secured
  • Securely use PII data with business intelligence to achieve insights into customer behaviors and trends, and measure internal environment metrics
  • Secure Rewards programs to prevent exposure of valuable customer data

How TokenEx Secures PII

TokenEx enables organizations to secure PII by offering a controlled, auditable method of securely storing and interacting with all types of sensitive information, including PII. In many cases, organizations need not use PII directly for business purposes, but instead can interact with a token that represents the PII. The actual sensitive data is stored in a TokenEx Data Security Platform, enabling organizations to minimize the risk associated with handling PII.

Examples of PII Tokenization

With TokenEx’s unique tokenization processes, any data type can be tokenized and vaulted. This flexibility gives organizations the ability to secure sensitive data, such as Social Security Numbers, that would otherwise be stored in a database, as well as electronic forms in a document management system that contain sensitive personal information.

Flexible Token Schemes

Because PII is almost required to do business today, it’s critical to secure this data appropriately.  Fortunately, using tokenization will allow businesses to use their tokenized data without disrupting existing business processes. TokenEx provides a variety of flexible token schemes to facilitate multi-data set acceptance without forcing changes to existing business processes and applications. Simply put, a token scheme encapsulates the validation of the input data as well as the format of the token returned to the business system. For example, if you have business processes that use social security numbers, you could use a format-preserving token scheme that retains the structure of the social security format (xxx-xx-xxxx). This enables your existing business logic and application validation to remain unchanged while securing the data in a tokenized environment. TokenEx provides virtually unlimited flexibility in how sensitive data is received, tokenized, stored and processed, while eliminating data theft risk and, in the case of payment processing, reducing the cost of PCI compliance.

The Allant Group, headquartered in Naperville, Illinois, combines customer and business intelligence applications to help enterprise and mid-market clients gain more valuable insights and drive marketing performance of omni-channel business. That means that Big Data is at the very heart of its operations. Allant collects and aggregates large volumes of personally identifiable information (PII). Researching data security providers, the Allant IT team looked for a company that was a match with the way they envisioned growing the company. “It was important that we find the proper fit,” says Daniel Iantorno, Allant’s Chief Information Officer. “We wanted a security partner that we could grow with, not one that we had to pay a large sum upfront and then grow into the service.” A SaaS subscription model turned out to be the fit Allant needed. As well, a primary goal of the project was to make no changes to existing business processes.“TokenEx’s Cloud Security Platform mirrors our flexible approach to accommodating clients’ requirements, working with us to provide the best solution at the right price” says Daniel Iantorno.

Since PII has become a favorite target of hackers, protecting customers’ personal data with tokenization prevents fraud and identity theft. TokenEx can tokenize any type of data, so PII can be safely vaulted away from on-premise business systems and replaced with tokens that are mathematically unrelated to the original data and, thus, useless to data thieves. The existing token schemas from the on-premise system had to be re-created by TokenEx, the field sizes had to match exactly, and the algorithms that create tokens from the PII data had to produce the same types of outputs as the legacy on-premise system. To facilitate this smooth transition, an Allant Project Manager created use cases for each of the vendors that defined the capability needed from TokenEx to seamlessly work with them. “TokenEx did all this work up front as a proof of concept to win our business. After that we had a high degree of faith that the TokenEx team was able to take our current tokenization implementation and transition it to their cloud platform,” remembers Iantorno.

Open Architecture By Design

This adaptability is possible with the TokenEx Open Security Architecture because it is designed to accommodate all types of data formats; interoperate with any payment gateway and financial institutions worldwide; and integrate workflows from third-party services such as fraud detection, account refresh providers, and marketing analytic programs like Allant. It’s this openness by design that gave Allant assurance that TokenEx could ultimately transform their on-premise tokenization to a Cloud Tokenization Architecture without forcing changes to existing business processes.

“As we evolve our platform to incorporate additional cloud services and expand our customers in new vertical markets such as banking and financial institutions, we believe TokenEx will keep all our new services secure and flexible. In essence, we expect the security of our platform to go from great to greater, and TokenEx will be with us as we continue on this journey to the Cloud” says Iantorno.

Email sales@tokenex.com to learn more how TokenEx secures PII in your very complex environment.

What are the PII Compliance Obligations?

Ultimately, PII is a legal term, not a technical term. When dealing with PII, legal council should be sought to determine the Federal, Country, and Region laws or industry regulations associated with the datasets being accepted, stored, and transmitted. Ultimately, regardless of specific laws or regulations which can change with geographies and governments, access to PII data should be tightly controlled, protected when stored and transmitted, and all touchpoints be auditable. Defining and adhering to a documented security control baseline helps ensure proper protection of PII data.

Beyond securing the data, an organization must also consider the incident and breach reporting requirements specific to PII exposure. Depending on the data set type and legal course of disclosure, additional reporting requirements may be necessary based on where the data is being stored and how it is being transmitted.

Failing to Protect PII Presents Risk to Your Organization

In the “old days” exposing sensitive payment card data resulted in monetary fines and penalties, followed by an exercise of extending free credit card monitoring services to the cardholders and then continuing with business as usual. With stolen PII, the repercussions are far more difficult to amend. PII data sets can be used to create fake personas based on the lives of real people, often resulting in ruined credit ratings, falsified tax returns, even home mortgages used for quick flipping schemes. Is it any wonder that an organization that is careless with PII suffers the wrath of the ultimate victims? Customer trust, corporate branding, and future business can quickly dissipate after a PII exposure.

The Ponemon Institute, an independent research organization, values the cost of each exposed individual PII record at around $178. With the average breach exposing 30,000 records, the financial risk quickly adds up. Moreover, the costs of a breach as described by the Ponemon Institute does not cover “catastrophic” breaches of over 100,000 records. Add in all the indirect costs, lawyers and lawsuits, PR damage control, and attention taken away from business, and it becomes obvious that a PII debacle exacts a heavy toll on any organization.

Federal Trade Commission Has Oversight Over PII Breaches

The FTC (Federal Trade Commission) is now the federal watchdog for data security oversight. The FTC has been able to prove that if an organization has “unreasonable data security” in place to protect their customers’ sensitive information, then they can be subject to fines, class action lawsuits, as well as a public admittance of the breach, due to the long-term damages resulting from breached PII. Moreover, some organizations found not to be in accordance can face up to a 20 year agreement that they would take the necessary steps to obtain compliance certifications. Most importantly, organizations need to implement a comprehensive data security solution that properly protects customer PII data. Tokenization and Cloud Data Vaulting for PII is an ideal solution for keeping data safe and the FTC at bay.

Benefits of Tokenizing PII with TokenEx

  • Predictable data storage overhead—the more PII you store, the lower the cost per record
  • Fully customizable PII tokenization schedule
  • Fully customizable tokenization schemes to match the data type being secured
  • Securely use PII data with business intelligence to achieve insights into customer behaviors and trends, and measure internal environment metrics
  • Secure Rewards programs to prevent exposure of valuable customer data

How TokenEx Secures PII

TokenEx enables organizations to secure PII by offering a controlled, auditable method of securely storing and interacting with all types of sensitive information, including PII. In many cases, organizations need not use PII directly for business purposes, but instead can interact with a token that represents the PII. The actual sensitive data is stored in a TokenEx Data Security Platform, enabling organizations to minimize the risk associated with handling PII.

Examples of PII Tokenization

With TokenEx’s unique tokenization processes, any data type can be tokenized and vaulted. This flexibility gives organizations the ability to secure sensitive data, such as Social Security Numbers, that would otherwise be stored in a database, as well as electronic forms in a document management system that contain sensitive personal information.

Flexible Token Schemes

Because PII is almost required to do business today, it’s critical to secure this data appropriately.  Fortunately, using tokenization will allow businesses to use their tokenized data without disrupting existing business processes. TokenEx provides a variety of flexible token schemes to facilitate multi-data set acceptance without forcing changes to existing business processes and applications. Simply put, a token scheme encapsulates the validation of the input data as well as the format of the token returned to the business system. For example, if you have business processes that use social security numbers, you could use a format-preserving token scheme that retains the structure of the social security format (xxx-xx-xxxx). This enables your existing business logic and application validation to remain unchanged while securing the data in a tokenized environment. TokenEx provides virtually unlimited flexibility in how sensitive data is received, tokenized, stored and processed, while eliminating data theft risk and, in the case of payment processing, reducing the cost of PCI compliance.

The Allant Group, headquartered in Naperville, Illinois, combines customer and business intelligence applications to help enterprise and mid-market clients gain more valuable insights and drive marketing performance of omni-channel business. That means that Big Data is at the very heart of its operations. Allant collects and aggregates large volumes of personally identifiable information (PII). Researching data security providers, the Allant IT team looked for a company that was a match with the way they envisioned growing the company. “It was important that we find the proper fit,” says Daniel Iantorno, Allant’s Chief Information Officer. “We wanted a security partner that we could grow with, not one that we had to pay a large sum upfront and then grow into the service.” A SaaS subscription model turned out to be the fit Allant needed. As well, a primary goal of the project was to make no changes to existing business processes.“TokenEx’s Cloud Security Platform mirrors our flexible approach to accommodating clients’ requirements, working with us to provide the best solution at the right price” says Daniel Iantorno.

Since PII has become a favorite target of hackers, protecting customers’ personal data with tokenization prevents fraud and identity theft. TokenEx can tokenize any type of data, so PII can be safely vaulted away from on-premise business systems and replaced with tokens that are mathematically unrelated to the original data and, thus, useless to data thieves. The existing token schemas from the on-premise system had to be re-created by TokenEx, the field sizes had to match exactly, and the algorithms that create tokens from the PII data had to produce the same types of outputs as the legacy on-premise system. To facilitate this smooth transition, an Allant Project Manager created use cases for each of the vendors that defined the capability needed from TokenEx to seamlessly work with them. “TokenEx did all this work up front as a proof of concept to win our business. After that we had a high degree of faith that the TokenEx team was able to take our current tokenization implementation and transition it to their cloud platform,” remembers Iantorno.

Open Architecture By Design

This adaptability is possible with the TokenEx Open Security Architecture because it is designed to accommodate all types of data formats; interoperate with any payment gateway and financial institutions worldwide; and integrate workflows from third-party services such as fraud detection, account refresh providers, and marketing analytic programs like Allant. It’s this openness by design that gave Allant assurance that TokenEx could ultimately transform their on-premise tokenization to a Cloud Tokenization Architecture without forcing changes to existing business processes.

“As we evolve our platform to incorporate additional cloud services and expand our customers in new vertical markets such as banking and financial institutions, we believe TokenEx will keep all our new services secure and flexible. In essence, we expect the security of our platform to go from great to greater, and TokenEx will be with us as we continue on this journey to the Cloud” says Iantorno.

Email sales@tokenex.com to learn more how TokenEx secures PII in your very complex environment.

Secure Your PII Today!

Contact us to learn how TokenEx can help tokenize your sensitive business data