How Mastercard, IBM plan to reinvent security under GDPR
Mastercard and IBM have founded a company with a very narrow goal: to help organizations scramble their data to thwart hackers and comply with Europe's General Data Protection Regulation.
They established Truata in Ireland as a trust to provide a new standard in data hosting and anonymization conceived by Mastercard that will help businesses build a security layer using methods only they know. The process falls in line with pseudonymization, another process under GDPR in which businesses handling European consumer data would never keep all of the personal or payment credential data for one person in one place. Rather, parts of it would be stored in different silos on a network.
"Data anonymization ensures that data can never be attributed to a specific individual," said Truata CEO Felix Marx, who recently served as executive vice president of services in Asia-Pacific for Mastercard.
The European Union has set May 25 as the deadline for GDPR compliance. Any company that deals with European customers has to comply with GDPR or risk hefty fines. The foundation of the regulation rests on the European Union's contention that consumers "own" their data, not the companies in possession of it. The regulation affects any company that handles payments or personal information.
Truata's process for anonymization starts with the data-driven business client "de-identifying" the data using a methodology known only to them. That data is transferred to Truata, where any remaining identifiers are removed and replaced with a token.
That data is transferred to Truata's data vault, where the token is replaced with another token known only to Truata. The data is then used to perform analysis for each customer, Marx said.
It's a deep security process that includes measures like "noise" and "perturbing data" techniques that are well known to data scientists and essentially replace portions of actual data content through a statistical process. It preserves the analytical value of the data, while preventing the ability to convert it back to its original form.
Because GDPR requires businesses to secure data in certain ways, as well as honor the premise that a European consumer has the only say over whether it can be used for any other marketing or sales purposes, many observers feel the European Union regulation could ultimately prevent major data breaches.
"GDPR will undoubtedly lead to data protection that reduces the incidence of big breaches, even in the U.S.," said Al Pascual, research director and head of fraud and security for Javelin Strategy & Research. "Consider that the many, if not most, medium to large enterprises do business in Europe."
Though not all of these businesses will take the same steps, anonymizing and pseudonmynizing sensitive customer data will frustrate criminals, driving a shift in their behavior, Pascual said.
"Other data will still be at risk, including intellectual property and business financial data, meaning we can expect ransomware to continue, if not increase," he added. "Criminals are going to look for ways to get paid and if they can't compromise and sell it to misuse personal identifiable information, they are going to pile it into other schemes."
In the past month, Truata and IBM began providing cloud, analytics and cognitive computing capabilities to data protection measures Truata will develop with clients.
"The GDPR sets a new standard for data privacy," Truata's Marx said. "Our conversations with regulators, potential customers and other entities impacted by GDPR have shown that when it comes to analytics and the need to have compliance with the GDPR, many organizations have not yet started to consider the need for anonymized data."
Indeed, Smart Insights reported that only 6% of companies it surveyed said they were fully prepared, while 21% indicated they were close, but nearly 50% said they were aware of the looming deadline but hadn't started compliance work yet.
Truata is working to close that gap dramatically in the next several weeks.
"Organizations need to be more proactive in the way they manage all of their personal data — employee, customer and proprietary — to ensure they remain compliant with GDPR," Marx said.
Many organizations have underestimated the measures that will be required to comply, Marx added. "Consent management solutions, designated data privacy officers, special controls on data access, and new legal bases for use of data will all change the way they manage and use data," he said.
Regardless of which companies are prepared to comply or not, the GDPR brings on a significant change in how payments companies will handle European consumer data.
"Of course, there will still be a long tail of smaller U.S. businesses that won't take the same steps to protect customer data because they don't do business overseas," Javelin's Pascual said. "It's simply, they don't care about complying, which will make them more attractive targets in this post-GDPR future."
Currently, a U.S. credit card processor who has locked down and protected a consumer's payment card and personal data would essentially be able to store that data forever.
Under GDPR, a European consumer could request that it be stored only for future payment reference for a period of time, or be taken off the database completely. The data could not be used for any other purpose without consent.