Compliance and Regulation

DataDivider has been a Level 1 Payment Card Industry (PCI) Data Security Standard (DSS) Service Provider since 2010. Over this time it has enriched its offering to address all aspects of a business’s PCI DSS requirements for all Cardholder Not Present (CNP) transactions. This includes ecommerce, contact center, back office, reception desk and CNP store transactions. In all situations DataDivider is able to reduce the scope and cost of helping a merchant achieve and maintain PCI DSS compliance.

DataDivider helps organization reduce or eliminate their Cardholder Data Environment (CDE) ……

Learn more

The European General Data Protection Regulation (GDPR) came into force in May of 2018 and impacts global business interacting with EU citizens. With fines of up to the greater of €20M or 4% of global revenues it has the attention of most corporation doing business in Europe. Most organizations have initially focused on their obligations of identifying privacy data, deciding which privacy data they can retain, setting up opt-in tracking capabilities to retain non-deemed essential privacy data and the mandatory reporting requirements to responding to privacy data informational requests and erase requests. While all this is very necessary …..

Learn more

Learn more

PCI DSS

DataDivider helps organization reduce or eliminate their Cardholder Data Environment (CDE) footprint by minimising their exposure to cardholder data. This is achieved initially when capturing cardholder data within its iFrame services for ecommerce and through either its Data Capture Cloaking or DTMF Tone Muting solutions for telephone based transactions. Once having captured cardholder data with the minimum exposure to the merchant DataDivider can devalue this data through Payment Service Provider (PSP) or independent tokenization services. By replacing cardholder data with tokens before exposure to a merchant’s applications this can remove these applications from PCI DSS scope. Where merchants do not have wish to or do not have the ability to change legacy or packaged applications they can use DataDivider’s Interceptor to inject tokens into these applications. By having DataDivider’s Secure Cloud act as a proxy for their PSP merchants can simply de-scope their applications from PCI DSS by directing their payment transactions via DataDivider. Interceptor within a PCI environment has helped many merchants de-scope their outsourced cloud based applications ensuring that the cloud application is not exposed to cardholder data within the tokenization process.

DataDivider’s Virtual Keypad within its Data Capture Cloaking solution has proven to be one of the most cost effective techniques for merchants to de-scope their desktops, devices, data networks and backend applications. The simplicity of the solution, ease of integration and the ability to maintain the current business work flow has helped organizations to meet tight audit deadlines. Where organizations are additionally looking to de-scope their telephony infrastructure DataDivider’s DTMF Tone Muting solution is available to achieve just this.

Some merchants find themselves in a difficult scenario where their application package vendor does not offer tokenization services in their current release of the package or within the package at all. To avoid the potential cost of upgrade or where tokenization services are not available DataDivider’s Interceptor solution can de-scope the package whether it is cloud hosted or on premise. Utilising the same techniques of Interceptor described above through DataDivider’s iFrame, Data Capturing Cloaking or DTMF Tone Muting solutions DataDivider can capture cardholder data with zero exposure to the application and inject a format preserved token into the application. The injected token can meet all the edit rules of the application including identification of card type or issuing bank and passing a luhn algorithm for card validation. To the application the token is handled as cardholder data. At the back end DataDivider acts as a proxy for the PSP and as described above performs detokenization of the API payload within the DataDivider Secure Cloud before passing on to the PSP.

EU GDPR

It is exactly this later requirement that DataDivider addresses. GDPR unlike PCI DSS is not a prescriptive standard. Thereby organizations have to determine their own security measures in order to meet the regulation. PCI DSS hold merchants harmless from their breach fines should the merchant have been deemed compliant of the prescriptive PCI DSS standard at the time of the cardholder breach. There is no such “get out of jail free card” with GDPR. However, a lot of lessons learned within PCI DSS can be applied to GDPR. No merchant to date has experienced an external party breach when PCI DSS compliant i.e. the prescriptive security standard works. Therefore we can extrapolate that should the prescriptive PCI DSS security controls be applied across privacy data that the likelihood of a GDPR breach will be extremely low.

The DataDivider suite of security solutions affords a business the opportunity of securing their privacy data to the same standards as PCI DSS. It does so at the minimal of cost and the lowest risk of potential breach. DataDivider’s ability of isolating privacy data at the point of capture and its ability to devalue this data prior to exposure to the business’s applications ensures the scope of GDPR privacy data is minimized. As all access to privacy data can be managed through DataDivider’s Secure Browser and that detokenization of privacy data can be managed within DataDivider’s Secure Cloud this furthermore ensures that application architectures remain out of GDPR privacy data scope.

Likewise all electronic communications of privacy data can be managed by the DataDivider Secure Cloud acting as a proxy between the business and the bonefide recipient of the privacy data. As all tokenization and detokenization takes place within the Secure Cloud and all presented information is managed within the Secure Browser this ensure business infrastructure is not exposed to privacy data. Where printed materials are required which include privacy data for external dissemination then rather than bringing internal networks back into scope third party secure printing partners can be utilized.

HIPAA

The Health Information Portability and Accountability Act (HIPAA) has a number of security ramifications for US businesses within the health care industry. HIPAA whilst allowing for the communication of relevant patient health information through proper channels for billing or healthcare it limits the disclosure of sensitive Protected Health Information (PHI). DataDivider has partnered with Liaison Technologies and augments their services by securing the end point devises within healthcare businesses. With the passage of the Health Information Technology for Economic and Clinical Health (HITECH) Act and the associated guidance from the Department of Health and Human Services (HHS), federal regulations address data breaches for the first time, specifically breaches involving unencrypted Protected Health Information (PHI). These requirements reinforce the patient privacy requirements in HIPAA and to encourage use of electronic patient records.

With new clarity around the protection of PHI, there is an unprecedented focus on encryption of such data to provide a safe harbor that protects organizations from the costs and hassles associated with data breach notifications. Liaison’s data security solutions help healthcare organizations achieve safe harbor. Through integrated encryption, tokenization and key management capabilities, Liaison protects PHI in databases, applications and systems. DataDivider protects the capture and maintenance of PHI on end devices. Jointly our secure file transfer solution ensures secure exchange of PHI among health care providers, their business partners and patients, as well as encryption and extensive tracking and auditing capabilities.