By Jason McWhirr, Information Security Consultant
It is commonplace for organisations to ask consumers to provide Personally Identifiable Information (PII) to prove identity, strengthen authentication mechanisms, and speed-up payments. Most organisations will have an identity profile of each of their consumers that incorporates PII data.
This includes common fields such as; address, date of birth, email address, mothers maiden name, etc. which are stored to help facilitate future authentication.
Proving a person’s identity (authentication) is a necessity for an organisation’s existing consumers, but also to potentially trust new consumers. The same applies to the consumer, by authenticating correctly (via whichever method), they expect to prove their uniqueness and access resources only they are authorised to use.
Consumer identification can be as basic as username and password – but this doesn’t prove that the correct person entered the password. Authentication, which proves the individual is who they say they are, is a preferable system to try and pinpoint the individual that is associated with the username or account.
However, in both cases PII data will generally be used to help identify the consumer, whether it is used to recover a forgotten password, build a consumer history, or to access call centre staff via the telephone.
Further PII data will be stored by the organisation in the process of their information gathering, some unbeknown to the consumer and can include fields such as; bank account information, passport details, social security/healthcare details, address history, relatives, friends, – the list of such PII data is endless.
Also then there is the consumer’s payment account data (also classed as PII data) which will be used and potentially stored when the consumer decides to purchase an item.
For all organisations storing this type of information, who are then subject to a data breach, the consequences can be extremely debilitating to consumers, time consuming for acquirers, and costly to the organisations who lose this type of data.
Millions of people have had their data stolen in data breaches in the last few years, however there are some differences in the way stolen data can affect the consumer;
Payment Account Data
Payment account data is identification data – something you have, like a password. It can be written down and doesn’t prove who used the data. When criminals steal payment account data or it gets lost, it can be very harmful depending upon the amount of data and time taken to be identified.
In response to the risks to this type of data, the Payment Card Industry implemented secure payment account data protection guidelines to help organisations minimise data loss via the PCI DSS standard. If followed correctly, it can help organisations lower their potential risk and impact of a data breach.
Once a potential payment account data breach is identified, the payment card can be replaced, and the consumer can update all their payment card related banking or ecommerce information. Despite the annoyance, and inconvenience this causes the consumer (and the acquiring banks), the consumer is generally back to normal within a couple of weeks.
When a consumer’s PII data is stolen or inadvertently lost by an organisation, the harm can be huge. As this personal data is used to prove a consumer’s identity there are no limits as to what the data can be used to do for criminal means, which makes this data more valuable and desirable.
A criminal can fraudulently use the PII data to prove to an organisation that they are the person who they claim to be and potentially bypass any security measures that have been put in place. Criminals with such valuable data will have continued access to the compromised consumer’s accounts and content, but additionally they can create new accounts with that identity.
PII data may be used by criminals to extort money if the data contains sensitive information.
In the case of payment card data being compromised also, a fraudulent transaction could be placed which; impacts the organisation as they are likely to lose large sums of money in fraudulent transactions; and also the compromised consumer as they will have a ‘valid’ authorised transaction associated which they have no knowledge of.
The fact that the correct PII data was entered in a transaction and was authorised will create major identity and authentication issue for the consumer. The consumer will have the tough task of disproving that the transactions were not authorised by themselves.
If bank account numbers are stolen the effects can be widespread as new bank account numbers are likely to be required, affecting all existing on-going transactions and access to money. This is a far bigger issue than losing payment card data alone.
How much is an identity worth to a criminal?
Payment card data and PII data is a valuable commodity to criminals, but a combination of both will add to its value.
The combination of a thriving, lucrative black market, hungry to buy and sell PII data via underground eBay style marketplaces, and criminals around the world wanting to purchase and exploit the stolen consumer data means it can be a time bomb waiting to go off for the consumer and organisation, who may not even know their data is compromised. (Further information can be found here)
How much is an identity worth to an organisation?
For an organisation, there are potential regulatory and card brand fines, loss in trade, reputational damage, customer trust, forensic and remediation costs. Also for PII data breaches there could be clean-up costs that may include lawsuits and credit monitoring/identity theft packages as part of the remediation. PII data should be protected in the same way as you would protect your own identity!
So what is the solution?
There is no one solution and data breaches are always a potential risk, however the following controls will enable an organisation to understand what PII data is in scope, its risk, and options to protect its PII data, potentially lowering the risk.
- Identify what PII information is used/stored and where.
- Evaluate the risk and what protection is required to protect the PII data.
- Compliance – protect all PII data with rules (policies and procedures).
- Educate staff and consumers about data security.
- Protect all PII data with layered controls;
- 1. Strong Authentication mechanisms help to prove who a person says they are by incorporating 2 of the 3 authentication factors; something you know (e.g. password), something you have (e.g. certificate, token, etc.), something you are (e.g. thumb print, retina scan, etc.)
- 2. Encryption and potential segmentation of PII data
- 3. Threat Protection
- 4. Data Loss Protection
If you are a merchant that requires technical or PCI DSS help, please click here