Privacy and Compliance
Meet PCI, GDPR, CCPA, HIPAA, and other regulatory requirements with ease
Global privacy and data protection regulations continue to evolve requiring stricter controls, especially as exploding volumes of data are collected and stored in the cloud and hybrid data stores. Organizations must support the business needs for digital transformation and data sharing across their partner ecosystems while also ensuring compliance with regulations such as PCI, GDPR, CCPA, and HIPAA.
Privacy Principles and Requirements
Most global data privacy and compliance requirements are centered around the following Organisation for Economic Co-operation and Development (OECD) Privacy Principles.
Data Collection Limitation
Personal data should be collected lawfully and with the knowledge and consent of the data subject, with appropriate limits around the collection of such data.
All collected personal data should be relevant, accurate, complete and kept up to date.
The purposes for which personal data are collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfillment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose.
Personal data should not be disclosed, made available or otherwise used for purposes other than those specified in accordance with the specified purpose:
- With the consent of the data subject
- By the authority of law
Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification or disclosure of data.
There should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available for establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller.
An individual should have the right to:
- Obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to them.
- Have communicated to them data relating to them
- within a reasonable time;
- at a charge, if any, that is not excessive;
- in a reasonable manner; and
- in a form that is readily intelligible
- Be given reasons why a request is denied, and to be able to challenge such a denial; and
- Challenge data relating to them and, if the challenge is successful, have the data erased, rectified, completed or amended.
A data controller should be accountable for complying with measures which give effect to the principles stated above.
Privacy and Compliance with Baffle
Baffle Data Protection Services (DPS) protects data on-premises and in the cloud via a “no code” and “low code” data security mesh. The solution provides universal data protection by de-identifying sensitive data and restricting access to the information. In a Zero Trust world where one must assume they are already breached, this data security layer allows companies to easily control who can see what data.
With Baffle, organizations can easily implement controls and policies for compliance with many standards, including PCI DSS, HIPAA, GDPR, and CCPA. Protecting data in use and at rest also provides safe harbor in case of a breach.
The table below highlights how Baffle’s capabilities map to the OECD Principles.
Reusable Data-Centric Controls
Baffle Data-Centric Protection Control
|Collection Limitation||Consent management portals or databases||Access control for sensitive data implemented with RBAC and Active Directory integration|
|Purpose Specification||Data discovery, metadata management, data security governance (DSG)||Integration with data discovery tools and DSG frameworks|
|Use Limitation||Data masking for dev/test data, data warehouses, ML/AI-based analytics||Field-level masking, format-preserving encryption (FPE) and AES 256-bit encryption options implemented with a no-code model|
|Use Limitation||Information life cycle management (e.g., SAP ILM)||Rotation of keys to keep security posture updated while the data is in the collector's possession|
|Security Safeguards||Best-practice data-centric security architecture||Allows protection of sensitive data at rest and in use with application-layer encryption. Has unique ability to process encrypted data without decryption ensuring a 'fail-safe' posture|
|Security Safeguards||Monitoring and response, automated breach notification tool, incident response plan||Integration with SIEM frameworks to indicate sensitive data being accessed|
|Security Safeguards||Tokenization or format preserving encryption of personal data||Support FPE to eliminate the dependence on where the data physically resides without any impact to the amount of storage used|
|Individual Participation||Automation of subject rights request (SRRs)||Implemented with access control of sensitive data|
|Individual Participation||Logical and physical erasure||Implemented using encryption keys that are stored separately from the data that can be revoked|
|Accountability Principle||Data security governance, privacy cockpits||Enable Data Protection Impact Assessments (DPIA) by sharing logs of access to sensitive data|
|Accountability Principle||Data security governance, privacy cockpits||Enable auditing and continuous compliance by sharing logs of access to sensitive data|
These compliance standards and governance bodies help protect industries and individuals from potential data loss or from having personally identifiable information (PII) exposed. One such industry that relies heavily upon compliance is e-commerce and payment processing. A simple look into one of these data security measures reveals a lot about the needed level of security. Specifically, in the credit card industry, threats are ever-changing, and attackers are getting more advanced in their methods and algorithms.
Payment Card Industry Data Security Standard (PCI DSS)
The governing body that regulates and enhances the scope of PCI DSS is the PCI Security Standards Council. PCI SSC was established by the major credit card companies in 2006. The role of PCI SSC is to establish PCI DSS requirements and how to protect data in the cardholder data environment (CDE).
Payment processors must be vigilant to shield and protect customer data and credit card information. Being in PCI DSS compliance means that credit card numbers, credit card data, PII, and primary account numbers (PAN) are tokenized, and this tokenized data is secure. But this is just the beginning. Ongoing training and compliance audits must take place to ensure real-time compliance. Individual payment brands or acquiring banks oversee enforcing compliance.
In contrast, the council’s role is to set PCI requirements and outline best practices to always stay PCI compliant. One such approach is called the PCI 3-Step Process. The PCI 3-step process involves the following:
- Assess. Identifying cardholder data, taking an inventory of IT assets and business processes for payment card processing, and analyzing them for vulnerabilities.
- Remediate. Fixing vulnerabilities and eliminating the storage of cardholder data unless absolutely necessary.
- Report. Compiling and submitting required reports to the appropriate acquiring bank and card brands.
Baffle helps organizations meet PCI compliance requirements for data migrated or used in the cloud, as well as on-premises. Key capabilities include:
- Data de-identification on-the-fly without application code changes
- Tokenize data inside data lakes, data warehouses, databases, objects, and files
- Format Preserving Encryption (FPE) that meets Luhn check requirements
- Maintains protected data's referential integrity
- Role-based access control for who can see what data
- Highly performant architecture that has near zero performance impact
- BYOK to ensure data confidentiality from cloud providers and administrators
- Safe harbor from accidental data leaks
- Privacy-Enhanced Computation to run any mathematical operation on protected data without ever decrypting it
Baffle delivers an enterprise level transparent data security mesh that secures data at the field or file level via a "no code" model. The solution supports tokenization, format preserving encryption (FPE), database and file AES-256 encryption, and role-based access control. As a transparent solution, cloud native services are easily supported with almost no performance or functionality impact.
No application code modification
Virtually no performance
Integrates easily into your
AES encryption in memory, in use,