Handle Sensitive Data Securely with Skyflow | by Tyler Hawkins | Apr, 2022

PCI, PII, PHI, and extra!

secure vault
Photograph by olieman.eth on Unsplash

Any firm working with delicate knowledge must make safety a prime precedence. Delicate knowledge might embrace cost card trade (PCI) knowledge like bank card data, personally identifiable info (PII) like social safety numbers, protected well being info (PHI) like medical historical past, and extra.

PCI, PII, and PHI? In relation to knowledge safety, that’s only the start. Information must be safe in transit, in use, and at relaxation. It’s worthwhile to be sure that correct entry controls for authentication and authorization are in place. You additionally want to take care of knowledge confidentiality, knowledge integrity, and knowledge availability. This may be additional sophisticated when it’s essential to replicate knowledge throughout programs.

If all of that sounds daunting, you need to think about using a knowledge privateness vault service to assist together with your safety wants. Not each firm can afford to rent a staff of safety and knowledge privateness consultants, and that’s OK. What’s not OK is slicing corners. “Purchase, don’t construct” is the mantra you need to undertake when coping with essential elements of your software which can be secondary to your organization’s essential focus.

On this article, I’d prefer to stroll you thru a easy demo of a safe bank card storage app I constructed utilizing Skyflow’s Data Privacy Vault. We’ll take a look at a few of the advantages of outsourcing your knowledge privateness wants with the intention to focus in your firm’s core merchandise whereas nonetheless remaining safe and compliant.

Let’s get began!

Demo app: checkout page
Demo app: checkout web page

Think about you’re an e-commerce firm, and a person is making a purchase order when buying in your on-line retailer. They arrive to your checkout web page and have to enter their bank card info. You wish to ensure that you deal with their bank card info securely, and also you additionally wish to retailer their bank card info in order that it’s saved for them the subsequent time they use your website.

There are a number of vital issues to bear in mind right here:

Keep in mind that knowledge must be safe in transit, in use, and at relaxation. Which means sending bank card data over the community utilizing SSL/TLS (HTTPS quite than HTTP) and encrypting the info in your database quite than storing it in plain textual content.

You additionally want to make sure correct entry controls are in place, which means that after the info is saved, solely the precise persons are capable of entry it.

In relation to integrity and availability, it’s essential to be sure that the info is saved appropriately and isn’t inadvertently modified, and the info have to be obtainable when somebody must retrieve it.

These are just some of the necessities it’s essential to meet with a purpose to turn out to be PCI compliant.

In constructing my checkout web page, I used the Skyflow JavaScript SDK to offer the shape area components within the UI. These components are carried out inside iframes which separate them from the remainder of my frontend app, and that reduces my danger. When the person enters their bank card data and submits the shape, the frontend Skyflow API makes a request to ship the info to my Skyflow Data Privacy Vault.

The server responds with a novel ID and tokenized knowledge representing the saved bank card data. Which means, along with not touching my app’s frontend, the bank card knowledge additionally doesn’t contact my app’s backend in any respect both, additional lowering my danger. The tokenized knowledge can then be saved in my very own database. This implies I’m circuitously storing the bank card data in any respect, only a tokenized reference to it.

Let’s dig into the code to see how I constructed this. All the code is available on GitHub for those who’d prefer to observe alongside there.

My app is constructed with a Node.js and Specific backend and a vanilla JavaScript frontend. So no frontend frameworks — just a few easy HTML, CSS, and JS.

Creating the bank card kind is comparatively easy, consisting of just some steps. The high-level features and their order seem like this:

Let’s stroll by these steps, one after the other.

First, I initialize my Skyflow shopper utilizing my vault ID, vault URL, and a helper operate to get a bearer token used for authentication:

The vault ID and vault URL might be obtained inside your Skyflow account. I adopted the Core API Quickstart guide to create my first vault. For the sake of brevity and avoiding repetition, I’d invite you to take a look at the steps within the information for this half.

Second, I create a container that may maintain my kind fields:

The container doesn’t do something by itself till we create components inside it, so we’ll do this now.

Third, I create the shape fields to gather the person’s bank card data. This contains the cardholder’s title, the bank card quantity, and the bank card’s expiration date:

Fourth, I mount the shape area components onto the DOM. That is what inserts the iframes into the placeholder containers in order that the shape fields truly seem within the UI:

Fifth, and eventually, I add an occasion listener to my Submit button. Now, when the shape is submitted, an API request is made to securely retailer the person’s bank card data in my Skyflow vault:

That’s about it! These steps spotlight the core snippets of code wanted to work with the Skyflow JavaScript SDK. In case you want the total working answer, refer again to the repository on GitHub, paying particular consideration to the index.html and script.js information within the public listing.

Now that now we have a primary understanding of how the checkout web page is constructed, let’s see it in motion! The person enters their bank card data:

Enter your credit card info
Enter your bank card data

Then the person clicks the Submit button, which triggers an API request to save lots of the bank card knowledge and returns a Skyflow ID:

Submit credit card info to store tokenized data
Submit bank card data to retailer tokenized knowledge

We’re exhibiting the Skyflow ID right here to make it simple to see within the demo, however you need to observe that this isn’t essentially one thing you’d need or want to indicate your customers within the UI.

If we take a look at the response knowledge, we are able to see that every of our items of delicate knowledge is tokenized, or changed with a token worth:

Skyflow API response
Skyflow API response

If we glance in our Skyflow vault, the info appears like this. Observe that it’s redacted and masked by default to guard delicate knowledge from apps which have vault entry:

Skyflow vault with redacted and masked data view
Skyflow vault with redacted and masked knowledge view

Admin customers like ourselves also can select to view the info in plain textual content if wanted:

Skyflow vault with plain text view
Skyflow vault with plain textual content view

As a remaining step, we are able to then retailer the Skyflow ID for this report in our personal database. Sooner or later, we are able to use that ID to request the tokenized knowledge and detokenize it.

We’ve coated lots in the present day! Along with a Information Privateness and Safety 101 lesson, we’ve additionally checked out Skyflow as one potential answer that may assist us with our knowledge privateness wants. Skyflow comes with everything you need, together with entry controls, encryption, and tokenization. Its options are SOC2, HIPAA, and PCI compliant, and so they even help data residency, which is a standard requirement included in most knowledge privateness legal guidelines. And, by storing PCI knowledge in a vault quite than straight with a cost processor like Stripe or Braintree, you’ll be able to avoid vendor lock-in and even work with a number of cost processors that can assist you higher adapt to numerous markets.

Keep in mind that you don’t should be a knowledge privateness knowledgeable with a purpose to implement finest practices. Startups, small groups, and even midsize to enterprise-level corporations can all profit from outsourcing wants which can be exterior to their product’s core options. Offloading this type of work to area consultants permits you to give attention to the core elements of your enterprise.

More Posts