PYMNTS-MonitorEdge-May-2024

Data Rails Anonymize Card Info Through Aliases And Data Teleportation

Data teleportation. It may sound like something out of “Doctor Who” or “The Fly” (hellllppp meee!) — a-“now-you-see-it, now-you-don’t” sleight of hand where information is here, and then (poof) it’s over there.

As Very Good Security Co-founder and CEO Mahmoud Abdelkader told Karen Webster, data teleporting — specifically through aliasing — can offer a level of protection beyond tokenization or encryption. It all boils down to data rails, he said, which act like any one of the financial rails that are in place in the world.

As he told Webster, payment rails move money from point A to point B, without requiring a sender, recipient or rail to have physical interaction with bills or coins. Extrapolating on that model, said , moving data between points — without actually moving data or having to store it at endpoints — can reduce the threat surface area of that data, rendering it safe from hackers and from being compromised.

“We can build secure perimeters, which can help build next-generation companies or products,” Abdelkader said. “The key lies in extracting the value of that data while keeping it safe, no matter the rails over which it travels.”

He pointed to banking as a parallel, where Federal Reserve rails, banks and card networks all link together, creating a trusted infrastructure. But we choose our providers — J.P. Morgan, for example, or Bank of America — based on the value-add they provide through lower fees, loyalty rewards or convenient access to ATMs.

Along the way, tokenization has proven to have at least some value, as it is revealed only at an authorized endpoint or destination. But tokenization has its limitations, Abdelkader noted. Take air miles, for example, where miles earned on United can only be used for United flights, and one wouldn’t be able to “convert” those miles to Southwest. As he explained, the user would have to convert those miles back into dollars and then exchange those dollars into Southwest miles.

Ah, but aliasing can be flexible: “What aliasing does is say, ‘we’ll give you a universal loyalty point that can be converted to either a United or Southwest mile,’” Abdelkader explained. Policies embedded in the alias can dictate whether the mile can be converted into rewards at either of those airlines. The data are bound to its policies and destination, he said — a philosophy of security that “can follow data around” and be used across any number of use cases.

Aliasing collects, stores and transfers this same data in what might have been thought of as its raw state, but without ever possessing it (the aliasing process is known as “Zero Data,” which was profiled in another conversation).

“If it leaks or somebody takes it” or tries to use it at an unsanctioned endpoint, “it’s useless,” Abdelkader said of the alias and the data tied to it.

Aliases can make even the friction points of commerce a bit more seamless, he said. If a consumer disputes a transaction or needs to get a refund, rather than going through the process of giving a credit card number to a call center agent, working through transactions over the phone and reviewing records, Very Good Security sits between the customer and the agent to transit aliases to portals or agents to complete the refund.

No Need To Speak The Same Language   

Regardless of the type of interaction, the endpoints don’t need to speak the same language, Abdelkader said, and the rail does the work of making sure that authorizations and aliases are in place. And aliases can have multiple representations to the underlying data itself, with nuances (such as zip codes, for emailing or marketing) that mean developers don’t have to interrupt their workflows.

“Ultimately, you say, okay, it’s time to ‘reveal’ the data and we’ll do the last step, and we will actually rewrite what you sent to us,” explained Abdelkader. “We will replace that fake substitute data with the real data” across an immutable ledger. There is no decryption unless the endpoint is verified, and no PII resides on servers. Customers can mandate that data instantly “disappears” if certain conditions are met, which helps ensure data privacy.

“VGS is data teleportation,” he told Webster. “Everyone is flying data all over the place, and we are saying, ‘separate the value from the physical movement of data.’”

PYMNTS-MonitorEdge-May-2024