June 30, 2023
Reduce Compliance Scope with Skyflow Elements
Learn how you can reduce your compliance scope by isolating sensitive data from your systems with Skyflow Elements. Skyflow Elements are client-side form elements embedded in an iFrame that can collect and send sensitive data directly to your Skyflow Data Privacy Vault without touching your front end or any of your infrastructure.
Securing sensitive customer data without compromising its utility is critical to the success of any business. But handling sensitive data carries compliance requirements, for example:
- PII is governed by laws like CPRA and GDPR
- Credit card details are governed by PCI DSS
- Healthcare data (PHI) is subject to HIPAA
To protect this data from misuse, you must track how it’s used, and audit the security of any systems that store or have access to this data. You should also minimize the number of systems that handle this data to avoid data sprawl and maintain a manageable scope of compliance.
A reduced compliance scope not only helps to keep sensitive data safe and private, but it also saves your company time and money because the scope of any compliance audits or questionnaires is greatly reduced when most of your systems have no access to sensitive data.
In this post, we’ll explore why it can be difficult to isolate sensitive data from your systems without sacrificing data usability. We’ll also look at how Skyflow Elements can isolate sensitive data and reduce your compliance scope. Then, we’ll show how Skyflow Elements eases compliance requirements for data governed by laws pertaining to PII, PHI, and PCI data, and how it can be used to simplify data residency. Finally, we’ll show how to implement Skyflow Elements in your architecture.
Why is Isolating Sensitive Data Difficult?
For most businesses, isolating sensitive data from their systems poses several challenges throughout the lifecycle of data collection and use. For example:
- Collection and Storage: When you collect sensitive data in a website or mobile application, it’s then stored in your application database. This puts both your front end and your application database within the scope of compliance.
- Logging and Backups: Your application will likely include some degree of logging, and your application database will require periodic backups. These logs and backup systems are also included in your scope of compliance.
- Analytics: To analyze customer behavior and glean insights, you might copy most or all of the sensitive data that you collect from customers, along with other data, into your data lake, data warehouse, or other analytics systems. These systems are now also included in your scope of compliance.
As you can see, it can be challenging to isolate sensitive data from the rest of your systems because you need to use this data to power workflows that are critical to your business. But, just because it’s a challenge doesn’t mean you can overlook the need to isolate sensitive data.
Failure to isolate sensitive data can lead to a bad case of sensitive data sprawl, which occurs when this data is replicated as it’s copied and stored across various applications, databases, data pipelines, and logs. Sensitive data sprawl makes it impossible to effectively govern access and increases the work required to comply with data privacy laws and industry standards.
The best way to avoid sensitive data sprawl and reduce your compliance scope is to use a data privacy vault to isolate, protect, and govern sensitive data. Skyflow Elements are HTML form elements contained in an iFrame that pass sensitive data directly to Skyflow Data Privacy Vault, bypassing your front end and other systems.
Tokens are provided as a response when sensitive data is sent to Skyflow. Then, you can store these tokens in your backend infrastructure so you can reference sensitive data stored in the vault, without ever having that sensitive data actually touch your systems. This prevents sensitive data sprawl by stopping it at the source.
Let’s take a closer look at how this works.
How Skyflow Elements Reduces Compliance Scope
Tokens serve as pointers to the sensitive data stored in Skyflow, and can be used to access that data in the future, subject to fine-grained access controls.
Here’s a high-level look at how using Skyflow Elements isolates sensitive data in a typical enterprise architecture:
Using Elements to fully isolate sensitive data from your other systems as soon as it’s collected reduces your compliance scope and improves the security of this data.
Note: If you don’t want to use Elements to capture sensitive data, you can still capture sensitive data in your front end, and then send that data from your backend to Skyflow using one of our server side client libraries for Node.js, Go, or Python, or using our REST API. But, this approach will put your front end and part of your backend in compliance scope.
Reduce PCI Compliance Scope with Skyflow Elements
If your business handles sensitive customer payment data, maintaining PCI compliance is a mission-critical business need. The Payment Card Industry Data Security Standard (PCI DSS) mandates strict security standards to protect payment data. Non-compliance can lead to significant financial penalties, legal repercussions, and the loss of customer trust.
Using Skyflow Elements, your business can significantly reduce your PCI compliance scope and simplify your implementation. Your front end, backend, and analytics can remain outside of the scope of compliance.
And, once you’ve isolated customer PCI data in Skyflow, your business can orchestrate payments among multiple payment service providers (PSPs), so you can:
- Avoid Payment Processor Lock-In: If you’re “locked-in” to a single payment vendor, you have little to no control over fee changes and outages – and no way to quickly respond if payment services are canceled.
- Expand Geographic Coverage: As you expand your business internationally, the need for more than one payment gateway becomes acute. Some PSPs charge more for transactions in certain countries or have other limitations like only supporting certain currencies or payment methods.
- Enhanced User Experience: By limiting yourself to a single PSP, you’ll often face situations where you can’t serve a given customer using their preferred payment method. With multiple PSPs, you can serve a wide variety of customer needs and payment methods.
- Optimized Payment Stack: Using multiple PSPs helps you to optimize your payment stack so that you can increase conversion rates, minimize declined transactions, and process transactions optimally.
- Payment Gateway Backup: Even the best payment services in the world can have downtime. Your business will share in this downtime if you’re limited to a single payment gateway that’s undergoing an outage. By working with multiple PSPs and using multiple gateways, you can reroute authorization and transactions to an alternative payment processing vendor.
- Control Over Analytics: Many PSPs lack certain features, like privacy-preserving analytics. And, the type of data that you can get from each PSP varies from one vendor to another. With PCI data stored in Skyflow, you can maximize privacy without sacrificing data analytics utility.
But, Skyflow Elements doesn’t just help to reduce the compliance scope for PCI. It also helps to reduce the compliance scope for other types of sensitive data you might collect from customers, including PII and PHI.
Use Skyflow Elements to Reduce Compliance Scope for PII & PHI, and Ease Data Residency
If your company handles PII, or works in healthcare and handles PHI, then you probably need to handle social security numbers (SSNs) or a similar type of sensitive ID number. Such sensitive information is required to complete mission-critical workflows like customer identity checks.
In the United States, PII is protected by state-level laws like CPRA in California, and PHI is protected by laws like HIPAA. Internationally, personal data (i.e., PII) is protected by GDPR in the EU and similar laws in countries around the world. So, to preserve customer trust and comply with a variety of laws, it’s important that you do whatever you can to protect sensitive IDs like SSNs and preserve your customers’ data privacy.
By using Skyflow Elements to capture PII and PHI before it’s exposed to your systems, you reduce your compliance scope and protect this sensitive data from misuse.
Using Skyflow Elements also simplifies data residency. Rather than replicating your infrastructure in each location with data residency requirements, you can instead set up a Skyflow Data Privacy Vault in each location, while keeping your analytics and other infrastructure centralized. You can read more about our scalable approach to data residency in our data residency blog post.
A Closer Look at Skyflow Elements
Using Skyflow Elements gives you complete control over the branding, customization, rendering, and behavior of your data collection form while freeing you from the need to directly handle the data that you collect.
After you’ve added this dependency you’ll initialize a Skyflow client, specifying the Vault URL and the Vault ID. When you initialize the Skyflow client, you also specify and define a helper function that will make a secure request against your back-end for a fresh bearer token that you can use to authenticate requests from your client web application to your Skyflow Data Privacy Vault.
This is all the setup that’s required to start securing your customers’ sensitive data.
Step 2: Create a Container to Collect Data from Clients
The Skyflow container is where you associate various “collect” Elements that you’ll create for each input field in your web form. The collect Element should be associated with a specific column in a specific vault, and it can also define optional styling, and specify input types, labels, and other configurable options. After creating all of the collect Elements you need for your form, be sure to associate them all with the Skyflow container.
Next, you’ll need to mount the collect Elements to your DOM by creating one or more dedicated <div> elements with specific collect element IDs. At this point, you can include optional parameters that tell the Skyflow API to create tokens that point to the sensitive data collected by the input field that you’ve created.
Step 3: Collect Customer Data with Skyflow Elements
When a customer enters their payment information into a Skyflow Element, the data is immediately tokenized, meaning it is replaced with a unique identifier that is meaningless outside of Skyflow’s secure environment. The sensitive payment data is then encrypted and securely stored, with Skyflow acting as the custodian of the data.
You can see how this works in the following illustration, which shows how sensitive payment card data is collected from the user on the left side, and shows the tokenized data returned from Skyflow to the front end on the right side:
By using Skyflow Elements, you can reduce the compliance burden for your business.
Since data is tokenized and encrypted before it even reaches your systems and infrastructure, your business doesn't need to worry about storing, transmitting, or processing sensitive data. This means that businesses can significantly reduce their PCI compliance scope, as they no longer need to comply with the strict requirements for protecting payment data.
Implementing Skyflow Elements
Implementing Skyflow Elements is a straightforward process that can be completed in just a few simple steps. Here’s an example of how your business might implement a Skyflow Element to securely collect and store customer credit card information:
- Sign up for Skyflow: Your businesses must first sign up for a Skyflow account to start using Skyflow Elements.
- Install the Skyflow SDK: Once the account is set up, you can download and install the Skyflow SDK, which contains all the necessary tools and components needed to integrate Skyflow Elements into your workflow.
- Add a Skyflow Element to the Website or Application: With the SDK installed, you can add a Skyflow Element to your website or application by copying and pasting a few lines of code included in our SDK.
- Customize the Skyflow Element: Skyflow Elements are customizable, meaning you can choose which data fields to collect, what these fields look like, and how they behave. You can also add custom validation rules and error messages.
- Start Collecting Data: With the Skyflow Element in place, your businesses can start securely collecting sensitive customer data without ever seeing or storing it in your systems. This data is automatically tokenized and encrypted by Skyflow and securely stored in the Skyflow Data Privacy Vault.
Skyflow Elements provides a variety of benefits for businesses that handle sensitive customer data. Some of the most significant advantages include:
- Reduced PCI compliance scope: Skyflow Elements take on the burden of securing sensitive customer data, allowing businesses to focus on other aspects of PCI DSS compliance
- Enhanced Security: Since data is tokenized and encrypted before it even reaches the business, the risk of data breaches or theft is significantly reduced
- Improved Customer Trust: By using Skyflow Elements, businesses can assure their customers that their data is private and secure
Simplified Implementation: Skyflow Elements are pre-built components that can be easily integrated into existing workflows, reducing the need for businesses to build and maintain their own secure data storage systems
- Ease Data Residency: You can simplify data residency and avoid replicating your infrastructure in multiple geographies by collecting sensitive data with Skyflow Elements
By using Skyflow Elements businesses can focus on other aspects of their operations, knowing that their customer data is being handled responsibly and securely.