Preparing For A Break In

No system is entirely safe from malicious intrusion. Regardless of the care taken to secure systems, you must plan on how to deal with an intruder.

Tokenization is a vital factor in preparing for that break-in. Thieves cannot steal what you do not have. Tokenization moves your vitally important sensitive personal and financial data out of your environment and into Auric’s PCI and HIPAA compliant hosting environment.

AuricVault® tokens are randomly-generated strings of numbers and letters that have no relationship to the stored data. If someone were to steal all your tokens, they still would not have any of your sensitive data.

This is an important fact to consider if you decide to generate your own token IDs vs. using the auto-generated IDs from the service. The method by which you generate the token ID needs to be unrelated to the stored data. For example, the token should not be a cryptographic hash of the stored data. Nor should it be some sort of scrambling or letter/number substitution scheme. If you calculate a token based on the data provided, it could be possible for someone else to calculate the data from the token. Sequence or time based token IDs are also not secure.

It is your responsibility to safeguard any sensitive stored data and to defend against malicious intrusion.

Auric Also Prepares

The concept that “Nothing is 100% secure.” also applies to the AuricVault® service. When implementing your tokenization strategy, you need to keep in mind what would happen if the AuricVault® storage is breached.

Consider this scenario when determining what data to store in a single token. If you store a credit card number in a token, and the service was compromised to the point where someone could decrypt that data, the credit card account number by itself is useless. However, if you store the credit card account number and the expiration date (or billing address information) in the same token, then you have a situation where the compromised data is useful to the intruder. Similarly, a taxpayer ID number by itself is not particularly useful, but a taxpayer ID number stored in the same token with a name and address is informative and helpful to the attackers.

Any combination of PCI DSS (PCI Data Security Standard) or Protected Health Information (defined by the Health Insurance Portability and Accountability Act – HIPAA) accessed by non-authorized entities presents substantial legal and financial ramifications. Such infringements cannot be taken lightly as the liability is considerable.

Auric takes prudent measures to ensure our environment is secure as well as being both PCI and HIPAA compliant. Auric Systems International, as well as our hosting providers Flexential and Armor are all Level 1 PCI Validated Service Providers and undergo third-party reviews on a regular basis.

Auric maintains their encryption key management system in a separate facility from the tokenized data storage.

Following prudent practices and thinking carefully about the stored data ensures your sensitive data remains safe at all times.