By David Schoenberger, Chief Innovation Officer, Secure Cloud Systems
Advertisement
Much of the security focus lately in the retail sector has been around how the Point of Sale systems collect and send card data. This continues to be one of the biggest areas of concern as fraudulent hackers have access to a treasure trove of valuable information. They are reaching deep into the systems and even at the firmware level to gain card data and the personal data about the consumer to assist in their criminal efforts to steal and defraud. Furthermore, with new breaches announced almost daily, it is clear how important this ongoing discussion becomes.
The irony is that card numbers are important for payment, obviously, but many retail organizations rely heavily on card data for reward and loyalty tracking, purchasing trends and many other data-mining requirements. The bigger the retailer is, the more systems and subsystems share these types of data points. The entire realm of Business Intelligence is built upon the predication of access to data, the more the better. Thus, efforts to understand, predict and trend on data depends on the quality of the data and the quantity of the data — beyond just PCI data.
In order to combat card and personal data being stolen, hardware companies are getting into the security game and coming up with solutions to protect and encrypt the data directly at the POS. But if a POS system encrypts card data at the machine level and then sends this data encrypted to the processor, a vital piece of the data used for business intelligence is lost. How can a retailer have the best of both worlds in terms of security and access to data?
What if the swipe process communicates this already-encrypted data to a tokenization process that then sends a token to the retail databases? This token can be utilized as a substitute to the card data or even the encrypted data. The ultimate goal is to take the real data (card numbers, etc.), replace it with a substitute and rely on a decoupled service to communicate the settlement data to the card processor and bank, never letting the merchant retailer have the real data. If token data is stored instead of card data or encrypted data, then the retail database never retains the sensitive data but has a substitute for marketing purposes. In a smart token process, the token might even contain other PII data to enhance the data-mining process. In reality, the retailer doesn’t need to know me personally from a data perspective. They DO need to know about me (in the form of a token) and know when, where, why, how many, about my interaction with their company and services. This can be achieved through substitute data.
While change must be made by retailers, it doesn’t have to be painful. Many opportunities are available for retailers to protect the consumer and restore faith. There is not a quick fix, unfortunately — it will have to be a combination of ideas and, the hardest part, a change in behavior from the retailer. Of course network security, firewalls and trusted employees have to be a part as does encryption. But it is time to start to get creative and let new ideas come to the roundtable. Adding a much more robust tokenization process to include tokenizing more than just the card data can play a key part in ensuring data security while meeting the demands of retailer business intelligence.
David Schoenberger is Chief Innovation Officer at Secure Cloud Systems, which has a mission of protecting the world one “byte” at a time. The company’s flagship award-winning product is CertainSafe, an ultra-secure file sharing and data storage platform that utilizes proprietary MicroTokenization®. Learn more about Secure Cloud Systems at http://www.securecloudsystems.com.
