November 29, 2021
Skyflow Connections: Mission-critical Integrations that Don’t Break Privacy
For many workflows, you need to send PCI, PHI, or PII data to a third-party service for processing. And you need to do all of this while remaining compliant with stringent regulatory requirements like PCI DSS.
Workflows like these can be challenging to support because when you directly handle sensitive data, you need to ensure continuous data security to keep all your services in compliance with regulations. That’s why we built Skyflow Connections — a new way to integrate your Skyflow Data Privacy Vault with third-party services that require access to sensitive data. With Skyflow Connections, you can quickly and securely integrate third-party services like Visa, Stripe, Adyen, MuleSoft, and many more with your vault — while offloading compliance requirements to Skyflow.
Third-Party Integrations without Skyflow
For example, let’s say that you work for a neobank that offers debit card services. To do this, your bank has to integrate with a card issuance service provider like Visa DPS. And this integration requires your bank’s customer PCI data.
The first challenge you face is to stitch together multiple sources of PCI and PII data — just to send a single request to the Visa card services API. You can solve this by building and maintaining your own data vault where you logically isolate all of the sensitive data. However, you will soon run into another challenge: PCI compliance. To process, store, or transmit credit card data, you need to be PCI DSS compliant. So, regulations require your data vault to be PCI compliant as well. Here is a blog post on what’s involved with this approach.
Additionally, you’d have to navigate the complexities of integrating your backend with Visa. Integrating with Visa APIs requires that SOAP APIs and REST API interactions use secure mTLS channels with Message Level Encryption (MLE).
You could potentially solve all of these challenges on your own, but it would require time, money, and hiring the right experts in data privacy, security, integrations, APIs, and compliance. This would definitely increase the time required to ship card services to your customers.
Integrate and Ship Faster with Skyflow Connections
With Skyflow’s Data Privacy Vault, you can leverage Skyflow’s expertise on data security and privacy to isolate and protect sensitive data. And now with Connections, you can use the sensitive data stored in your Skyflow vault to integrate with third-party services. At the core of Connections is Skyflow’s built-in tokenization and relaying capabilities. With each insert into the Skyflow Vault, you get a token back that references sensitive data. So, you don’t store any sensitive data on your end; instead, you store tokens that reference sensitive data.
To illustrate, consider a card issuance workflow with Visa DPS. When it’s time to process a new customer card request, you only need to send tokens to Connections. The Connections service then relays the sensitive data that corresponds to those tokens to Visa DPS to complete the card issuance workflow. Other workflows follow a similar pattern.
Here is an illustration of how this works:
1: Card Issuer calls Skyflow Connections to issue a debit card: Your backend service sends tokens that reference PII stored in your Skyflow data privacy vault to start this workflow.
2: Skyflow Connections calls Visa’s DPS API: Skyflow sends detokenized sensitive data using mTLS + MLE secure channels.
3: Visa DPS sends a new card PAN to Skyflow: Visa sends the new card PAN to Skyflow, where it is tokenized.
4: Card Issuer receives PAN token: Skyflow sends the card PAN token back to your backend service.
In this workflow, your backend service is never exposed to PCI data. In fact, your company doesn’t fall under the scope of PCI compliance because Skyflow handles all of the storage, transmission, and processing of sensitive data on your behalf.
You can apply this pattern of tokenizing and relaying sensitive data across many different use cases. This approach helps you avoid handling sensitive data in your services so you can focus more on innovation and less on compliance.
Support for Inbound and Outbound Connections
The card issuance example workflow shown above is an outbound connection — a mode where your Skyflow vault makes an outbound call to a third-party service (in this case, Visa DPS). Additionally, Connections also supports inbound connections — a mode where the requests originate externally and are inbound to Skyflow.
A good example of inbound connections is Skyflow’s MuleSoft native integration, where PII flowing through MuleSoft’s API gateway gets filtered out and sent to Skyflow for tokenization. This approach lets you avoid storing sensitive data in its raw form in your backend microservices. Instead, you only store tokens which are relayed back from the Skyflow vault.
GUI, API, and Templates to Get You Started
With Skyflow Connections you can build your own custom connection from a GUI or use our REST APIs. Skyflow also provides you with a set of tested, pre-configured connection templates that you can use to quickly connect your vault with services like Stripe, Visa, MuleSoft, and many more. In the coming months, we’re planning to expand the list of connection templates, so we would love for you to reach out to us with any ideas for endpoints that you would like us to support.
Skyflow Connections makes it easy to relay data to third-party service providers, so third-party integrations that involve sensitive data are no longer a compliance and engineering nightmare. Because Connections relay sensitive data instead of you handling it directly, you get to extend your infrastructure without compromising on data privacy, security, and compliance.
Connections lets you offload these challenges to Skyflow and its industry-leading zero trust architecture, so you can rest easy knowing that you are delivering effective data privacy and security to your customers.
Sign up for a free trial to test it out yourself!