The information age has brought with it both convenience and risk. Consumers, for example, love the convenience of shopping online, yet they certainly don’t want their personal and sensitive information (like credit card numbers) to be revealed to unauthorized parties. Businesses have the responsibility, and in many cases, the legal obligation, to mitigate this risk and protect sensitive information from prying eyes. This is largely done through encryption.
What is encryption?
In simple terms, encryption is the process of taking human-readable information and translating it into an unreadable form. The information is protected by an encryption algorithm that can only be translated back into a human-readable form by authorized parties.
As a consumer, you’ve likely encountered basic HTTPS encryption while doing business online. You know to look for HTTPS (instead of HTTP) and the padlock symbol in the address bar. With HTTPS encryption, the website and web server have been authenticated and a secure, two-way connection has been established. Transactions made using HTTPS encryption are shielded from man-in-the-middle attacks, tampering, and eavesdropping.
Encryption typically uses “keys” to unlock the data. For example, with symmetric key encryption, the sender and receiver use a common key known only to them to decrypt the data. Thus, if a cybercriminal were to intercept the information, the payload would be gibberish. Since the cybercriminal doesn’t have the means to decrypt the data, it’s safe and sound despite the breach.
Why should you care?
Sensitive client data should be handled with the utmost care. This means that the companies that handle sensitive client data should be well informed about the best security practices, including end-to-end encryption.
Service Objects offers specialized services focused on data validation. The data that is sent to our services for validation usually comes from our clients’ customers. For example, let’s imagine a fictional Service Objects client called Medical Insurance Inc., a medical insurance company. As Medical Insurance Inc. collects information on their customers, prospects, and leads, they want to confirm that the data is valid. In order to validate the data, they must send the sensitive information over to one of the Service Objects’ web services. If Medical Insurance Inc. doesn’t use encryption, the data being transferred is at risk of being snooped on by a malicious third party. A simple man-in-the-middle attack could allow direct access to sensitive information that should not be exposed to anyone outside of Medical Insurance Inc. The risk of exposing sensitive data can be easily negated by any of the following recommended best practices.
What do we currently support/recommend using?
We currently support Pretty Good Privacy (PGP) encryption on incoming and outgoing list processing orders. End-to-end encryption is made possible by PGP’s hybrid-type cryptography, which uses a blend of private and public key encryption to help ensure your data is not exposed to anyone but the authorized parties.
For standard API calls, we highly recommend using the HTTPS protocol. Over HTTPS, the connection to the site will be encrypted and authenticated using a strong protocol (SSL/TLS), a strong key exchange (RSA), and a string cipher (AES256). By using HTTPS to make your web service calls, you can rest assured that any sensitive client data is well guarded.