To protect what you’ve got — lock it away, build a wall, maybe a moat. Maybe hide the valuables. And pray.
It all gets a lot harder in the digital age.
Transferring money, or data, or sensitive personal information (okay, pretty much anything) across the web means that data can be copied as it moves from place to place. That also means data is vulnerable as it moves.
Mahmoud Abdelkader, co-founder and CEO of Very Good Security (VGS), said the current security and compliance approach is fundamentally flawed — it doesn’t keep people safe, and it hamstrings businesses.
He was quick to point out: “Over time it has become flawed. It wasn’t flawed initially.”
The traditional, classic model of protecting something has remained the same, whether protecting physical valuables or digital assets. That includes money, of course, where, say, digitized token vaults have taken their place alongside bank vaults.
“When you and I exchange money, we’re not actually physically exchanging cash any longer,” he told Karen Webster. “One of the things we’re doing is we’re just moving instructions around and the value gets transferred locally to you.”
And there are vulnerabilities at the endpoints — the senders and the receivers of that valuable (digital) payload of funds. But PII (personally identifiable information), medical charts, all manner of info about who we are and what we do can lure cyberthreats.
And, of course, it’s a never-ending battle.
That means companies make endless investments (in time and money) in protecting their sensitive data — assets that could be used to grow the business.
Zero Data
One solution, he said, lies with the Zero Data approach.
In offering up the guiding principle in a nutshell, he said, “What if we’re able to move the value of data without physically needing to move the data itself?”
That approach, he said, is tailor-made for the great digital shift, as companies of all sizes and verticals must mull how they are protecting assets and customers.
After all, as he said, enterprises are grappling with a regulatory landscape that has “real fines and real teeth. You’re going to have to address this problem, head on and the traditional way of doing it that we did before just does not apply in this modern day and age.”
The Zero Data approach replaces sensitive data with synthetic data, which means that the value and the business logic that has produced that data are separated from the custodianship of that data.
Because of that, firms no longer need to acquire or hold that sensitive data as they run their operations, effectively rendering them useless targets for bad actors.
And as Abdelkader said, the approach gives merchants the ability to have more control over their data, yes, and the freedom to route transactions to lower-cost payments service providers.
At a high level, he said, VGS becomes the custodian, as well as the responsible and liable party for storing data for its enterprise clients, in the same way that the bank is the custodian and the liable party for deposits made with that financial institution (FI).
“The best way to think about VGS is that we are effectively the existing banking and processing and payment rails, but just for any types of data,” he said.
Drilling down a bit, the process has several parts. VGS, he said, takes care of all the encryption, data keys, jurisdictional constraint.
As is germane to payments, the Zero Data approach is ideal for credit card transactions. In that scenario, said Abdelkader, sensitive card data can be collected directly from the consumer at the point of interaction — the merchants’ website. Abdelkader noted that the merchant never handles the card data during the transaction and never needs to store that data.
“But then instead of giving them back,” he said, “where in the payments world you give parties a token, we will actually mimic the original value that we replace.” (And, as stated, the original value is encrypted in the VGS system.)
This means that companies don’t need to change their applications and don’t have to hire new developers — and they certainly don’t need to retrofit existing applications. Client firms can take their existing databases and applications and can wrap VGS around it — and effectively make it so that the database never has to “see” the sensitive data.
Think of it as the “secret sauce” behind the process — namely, how VGS separates the value of the data from the storage itself.
Reversing The Interactions
“We figured out a way to reverse the interaction,” he said.
For example, an Excel spreadsheet operates as users pull data out and puts it into the sheet. But in an inverse scenario, he said, a user would create the formulas and push them to the data. That data does not get withdrawn, and VGS reduces the “surface area” upon which the data can sprawl.
It eliminates the problems inherent in tokenization, where data is pulled in and put back out into the world. Tokenization also drives up costs for merchants, who pay fees to whatever providers they’re working with — and to the payment methods or networks with which those tokenizers have linked and integrated.
A Zero Data approach, he said, gives “maximum flexibility” to card issuers, payment processors, payment gateways and other firms — and even consumers, should platforms and tech giants sign on — that want to maximize the value of their data without having to inherit the risk and liability that is tied to that data.
Some Use Cases
He pointed to clients using VGS to onboard and import payment credentials to set up “best cost” transaction routing (VGS has built a gateway that’s free for clients’ self-hosting, eliminating PayFAC risk or having to grapple with fraud).
Looking Ahead
He noted that the roadmap to getting this approach more widely used in the field requires more education and to show that “instead of using a telegram, you can use a cellphone. And modern consumers are realizing that privacy is not a luxury, it’s a basic right.”
There are also inroads to be made in healthcare, where, serving as a gateway for sensitive data, the Zero Data approach can make sure patients’ info is protected, and whether a patient might be eligible, for example, for a cheaper generic versus a more expensive brand name drug.
The company will also help client firms create, issue and maintain card loyalty programs (beyond having to work with physical data centers or routers).
“I fundamentally believe that we can change the way data security and compliance holds back business initiative,” he told Webster. I think we can transform data security with zero data and really make it a business enabler.”