Merchants and issuers across the payments space are working to reduce both the amount of PCI-sensitive data they store and the number of systems that touch that data, but this can be difficult across disparate and legacy systems. Could blockchain’s distributed ledger architecture be the solution?
PCI compliance is the payment security standard that applies to every entity that processes, stores, or transmits credit card information. Designed to ensure the security of transactions and protect cardholders against fraud and misuse of their personal information, the standards were defined and are maintained by the PCI Security Standards Council, whose founding members include American Express, Discover Financial Services, JCB International, MasterCard, and Visa.
A significant development occurred earlier this year when PCI compliance was achieved by the first and only blockchain-based data security platform. Built on a patent-issued private blockchain model, ALTR is unique in the way it enforces data governance policy, protects stored data from forced access, and provides detailed intelligence about an organization’s data-access needs and habits.
As data breaches continue to threaten brands, reputations and bottom lines, PCI compliance is an indicator that enterprise data security leveraging distributed ledger architecture is no longer just a concept, but is now in the hands of business.
While the norm has been to encrypt transactions and cardholder data against fraud, this new approach takes that data, tokenizes it to render it illegible, and then splits it into fragments that are randomly spread across separate server nodes. It goes against conventional cybersecurity thinking, but with breaches now commonplace this is exactly what is needed to protect cardholder data.
Blockchain reinvented for a higher purpose
The hype around cryptocurrency has cooled considerably of late, while there is a growing interest in adapting the underlying blockchain technology that powers the exchange of coins for higher purpose in the enterprise. Healthcare, banking and financial services, insurance and even food safety are now areas where the technology is taking on a new life. Leveraging its inbuilt consensus mechanisms to treat sensitive data like money: monitor its usage, govern access to it, and protect it by obscuring it.
The big problem this type of technology solves is to take something digital and preserve it by using an uneditable data structure. Consider that a Bitcoin cannot be copied and spent more than once without changing hands. If you refine blockchain to create private in-house blockchains that operate on a low-latency SaaS model, it quickly becomes clear that the applications extend outward nearly without limit.
Blockchain offers benefits beyond being incredibly secure. Many hacks involve, not just the theft of data, but the changing of the data. Also, blockchain structures offer high availability and resiliency by design, because of their replicated nature. What other types of data could be preserved digitally now in an authentic form ensured by blockchain? Identity data? Ownership data? Intellectual Property? News Content and Images? Voting Records?
Protecting these types of data means more than simply stopping unauthorized access. Insider threats are often a far greater concern, whether a result of deliberate misbehavior or accidental mishandling of information, a distributed nature means data is scattered and useless. Moreover, it also lends itself to documenting evidence of all activity in an unalterable log.
Consider also that the central problem around data usage and storage the question of ‘trust’. It’s not just about keeping the data from being stolen, it’s also about maintaining its integrity. A data security platform that uses a private, permissioned blockchain’s tamper-resistant structure to store all audit records of data access, as well as the data itself, appears well placed to counter those threats.
The unique combination of these characteristics also creates a data infrastructure which increases the resiliency of an organization’s systems and processes. Existing solutions like encryption and tokenization are fragile in that there are keys to steal, and they exact a high cost on the performance and usability of data when they are implemented widely in an enterprise, which is why companies remain reluctant to employ such measures.
A pragmatic use case
While the core technology is crucial, how you bring it out of the lab and into the hands of commerce in a pragmatic way is a crucial hurdle. The challenge writ large is to not simply apply it to a real, tangible problem — that is data security for payments, cards and services — but also to invest in ways for an enterprise to adopt it without having to throw out the systems they already use. Here we can take a cue from the financial sphere, where all the risk checks against the flow of money are embedded in the critical path between the people who want the asset and the asset itself.
Data security itself, under the enterprise blockchain model that recently received PCI certification, is embedded in the actual code base, in the critical path of information through a thin layer of technology wrapped around database drivers, which all applications use to connect to their databases. The platform can act as a data broker – monitoring all data access, governing what types of access are permissible, and even redirecting requests for data to distributed storage when the necessary files have been deposited there. Remarkably, the platform does not replace any existing infrastructure, and in fact its impact is potentially so low that end users are unlikely to even realize it’s there. This new way of implementing data security is “programmable.”
In fact, blockchain and distributed ledger technology offers three central tenets, that are essential components for PCI DSS compliance. The first is that in order to protect data, you need a really good vault. This is described as “at rest” protection for data as it sits in a database, in cybersecurity parlance. The second is you need a valve – that is, a way to slow down or stop the flow of data to applications in real time. Finally, you need a view. This means shared visibility, from the c-suite all the way through to IT, on which individuals are consuming data and why. This view has to be trusted, in that it has to be audited and tamper-proof.
A vault, a valve, and a view – the combination is new paradigm on protecting data, and reduces risk to data significantly, in many cases down to near zero. And here is where blockchain, reengineered for private, permissioned enterprise applications in data security, brings its greatest value for those who want the assurance that comes with PCI compliance. Distributed ledger approaches are now forcing businesses, particularly those in banking and financial services, so that risk to data can be either be slowed down or stopped.