Securing Non-Credit Card, Sensitive Consumer Data

Summary

Retailers easily gather sensitive data during typical business activities, such as date of birth, address, phone number, and email address, which can be used by various internal users and external partners to accelerate business operations and revenue. There has been an increase in the value of non-credit card, sensitive consumer data on the black market and relatively few regulations or standards specific to this topic in the consumer-facing/retail industry in the United States. Some regulations and standards have emerged or are emerging in Europe and other parts of the world around privacy and protecting personally identifiable information (PII), and those precedents can inform our work in this space.

As seen following high-profile data breaches in the healthcare sector, PII is valued at up to 20 times more than credit card data, with a single credit card number sold at $1 and the average individual’s PII sold at $20. There is a gap to be filled in terms of understanding the risks and implementing security controls to mitigate those risks concerning non-payment PII. Also, with the general trend of widespread digital collaboration inside and outside an organization, various stakeholders need varying levels of access to the same and different resources.

In collaboration with stakeholders in the retail and commercial payment ecosystem, the NCCoE has identified that implementing data masking and tokenization, coupled with fine grained access control such as Attribute Based Access Control, may significantly improve the security of PII transmitted and stored during commercial payment transactions, as well as PII shared internally within a retail organization and externally with business partners.

This use case will help retailers secure non-credit card, sensitive consumer data by utilizing standards-based commercially available and open source products. The project process includes identifying stakeholders who interact with retail systems and non-credit card consumer data; defining the interactions between the stakeholders, system, and data; identifying mitigating security technologies; and ultimately providing an example implementation.

Read Securing Non-Credit Card, Sensitive Consumer Data Project Description.

Questions? Comments? Reach us at consumer-nccoe@nist.gov.