Editor’s Note: In the spirit of the famous advice columns of the past, one of our Tricentis Tosca experts has started their our own column: Dear Dr. Tosca. Have questions for Dr. Tosca? Send them our way in the comments!
Dear Dr. Tosca,
I keep reading news stories about major security breaches – like TalkTalk, where someone hacked the company database, stole the credit card and bank info of 4 million customers, and is now holding it for ransom. In the stories there is always some reference to the fact that the data was not “encrypted” or “synthetic”. Can you explain what this means, and why companies aren’t using “synthetic” data if it would prevent these security breaches?
Confused by Data
Dear Confused by Data,
The truth is that companies who working with credit card data are supposed to follow a standard of security called Payment Card Industry Data Security Standard (PCI DSS ). These standards are the security measures which are meant to protect card holder data and prevent theft or data breaches.
The PCIDSS even states:
If cardholder data is stolen – and it’s your fault – you could incur fines, penalties, even termination of the right to accept payment cards! (PCI DSS)
A cyber-attack that manages to steal data is a very serious event for any company, and will lead to both financial loss and a huge hit to their reputation.
If you take PCI DSS seriously, you have to restrict access to cardholder information by business “need to know”. That clearly would mean that testers, who require some form of data to be able to run their tests, should not be allowed to access real cardholder data to execute their tests.
But let’s not only focus on the cardholder data – in 2006 a former employee of a big financial institute sold a CD full of data to German Tax Authorities, who then used this information as evidence of tax evasions. This was only the first of many of these types of cases. Although it was never fully revealed, it is likely that the data was stolen from a test department working with copies of actual cardholder (production) data!
Events like this lead to changes in laws and have even changed whole business models.
One of those changes made to laws and business models is the implementation of synthetic or encrypted data. Synthetic data supplies a stand-in of the production data for testers to use in their testing. Say you need to run a test using the data of a customer of a certain age who has Mastercard as payment – rather than using a real person and credit card, you can just generate synthetic data. By using synthetic test data you can not only prevent a cyber-attack’s effectiveness in stealing valuable data, but you are also in charge of what data is actually available for your tests.
Synthetic data provides a company with a way to keep their customer’s data safe from attacks from the outside, or thieves from the inside. All you need to make synthetic data happen is a tool (such as Tricentis Tosca) that can generate the right type of data for you, right when you need it.
Want to learn more about Test Data Design and Generation?