GS Logo
The Green Sheet, Inc

Please Log in

Banner Ad
View Archives

View flipbook of this issue

Care to Share?


Table of Contents

Lead Story

Payments' place in the retail playbook - Part 2

Dale S. Laszig

News

Industry Update

Retailers challenge PCI, seek federal intervention

Data breaches, EMV advance new fraud trends

CFPB to processors: Don't turn blind eye to fraudsters

CFPB seeks public comment on 'payday' loan guidance

Features

U.S. credit card users like installments. A lot

Open-loop prepaid will play a role in next loyalty move by Starbucks

Aaron Mercurio and John Grund

Be vigilant about data vulnerability

MCX pulls plug on CurrentC

Views

The misguided 'kill the check' chorus

Brandes Elitch
CrossCheck Inc.

Guide your startup so it won't implode

Ken Musante
Eureka Payments LLC

Education

Street SmartsSM:
The alternative financing rebrand wrap up

John Tucker
1st Capital Loans LLC

Think PII, not just PCI

Fran Sachs and Ross Federgreen
CSR Professional Services Inc.

Paper reports, online portals can coexist

Steven Feldshuh
Merchants' Choice Payment Solutions East

Consolidation in acquiring

Adam Atlas
Attorney at Law

How integrated, complementary technologies lift valuations

Adam Hark
MerchantPortfolios.com

Company Profile

Upserve

New Products

Brandable, EMV-certified mobile payments

AprivaPay Plus
Apriva LLC

Biometrics for enhanced, selfie authentication

Eyeprint ID
EyeVerify Inc.

Inspiration

The pursuit of large merchant accounts

Departments

Letter from the editors

Readers Speak

Resource Guide

Datebook

Skyscraper Ad

The Green Sheet Online Edition

June 27, 2016  •  Issue 16:06:02

previous next

Think PII, not just PCI

By Fran Sachs and Ross Federgreen

Readers in this magazine are more than familiar with the types of information addressed by the Payment Card Industry Data Security Standard (PCI DSS) and related standards, often referred to collectively as PCI. Attention, however, also must be paid to the broader category of personally identifiable information (PII).

What is PII?

PII is anything that can be used to identify an individual. The loss of this information leads to identity theft. In different parts of the world, this information can be called personal data and personal information, as well. Types of personal information include a person's name; physical and email addresses; phone number; birth date; national identification (like Social Security), driver's license and bank account numbers; and credit or debit card information.

Other PII includes health information, medical records, vehicle identification numbers, license plate numbers, login credentials and passwords, and school records. Biometrics ‒ fingerprints, retina scans, handprints and voice recognition files ‒ are also considered to be PII. Some countries consider information revealing political opinions, union membership status, sexual preferences also to be PII. The list continues to grow with new and revised legislation and court rulings.

In the world of PII, the PCI DSS is a small and increasingly less important component. Globally, over 99 percent of PII is something other than card data. News reports of recent data breaches indicate personal contact information and national ID numbers are the most common breached data of late.

Differing approaches to PII

Various countries utilize four major models as an approach to PII. The European Union and Canada use comprehensive laws that govern PII collection, use and dissemination in public and private sectors, with an official oversight enforcement agency that remedies past injustices, promotes electronic commerce and ensures consistency with pan-European laws.

Australia utilizes a co-regulatory model that is a variant of the comprehensive model in which industry develops enforcement standards that are overseen by a privacy agency. The United States uses a combination of a sectoral approach and self-regulated model. The sectoral approach utilizes enactment of laws and regulations that specifically address particular industry sectors such as financial transactions, credit records, law enforcement and medical records. There is no single harmonized federal law that addresses all issues. Some of these laws are regulated by the federal government, some by state governments and some by industry.

The industry-driven regulations lead to the self-regulated model that, for example, is utilized in both the United States and Japan. In this model, companies use or develop a code of practice by a group or class of companies as industry bodies. One example of this is the PCI DSS and related security standards. Drawbacks include how to determine adequacy and carry out enforcement.

Why should payment professionals care about PII?

Failure to understand and follow the rules and regulations covering all PII, not just limited to PCI, can lead to reputational damage, along with civil and criminal penalties. Lawsuits on behalf of victims of data breaches could lead to multimillion-dollar verdicts and settlements.

Another critical area to consider is the transfer of PII, inclusive of payment information, on a multinational basis. The United States is not considered by the world community to have "adequate" PII regulations. This has led to a significant and growing concern regarding the ability of PII to be transferred into the United States, as well as accepted from the United States.

This has a direct impact on all merchants who operate in an environment where they accept, store or transmit various categories of PII that originated from outside of the United States.

If a company runs afoul of the European Union's new General Data Protection Regulation provisions on international data transfer, violations may result in "administrative fines up to 20,000,000 EUR, or up to 4 percent of the total worldwide annual turnover of the preceding financial year, whichever is higher," according to the GDPR.

These types of increasing penalties, as they relate to the appropriate management of PII, are present in every region of the globe – from Singapore to Korea to Canada to the British Commonwealth to Israel to Argentina and beyond.

What to do about PII

The only reasonable way to deal with the ever-expanding and changing requirements and regulations is to take an organized approach to the various types and classes of PII that your organization has or might have. Remember, if your organization has customers, vendors or employees of any type, you have PII.

Every organization should ask the following questions to determine its PII legal requirements:

Each entity must determine the best methods for staying abreast of relevant PII rules and regulations. PII use is growing globally and has become a central issue in our modern age. There is no jurisdiction that does not impose significant regulations on the acquisition, handling, management and destruction of the various classes of PII. Those who do not recognize this increasing threat to business operations will be severely compromised. Given the limited resources, expertise in these matters and budgets of many companies, it might be wise to consider engaging an expert third-party to outsource these complicated, complex requirements.

Visa Inc. has advised those involved with PII to consider a breach of PII likely and prepare accordingly. "Identify and establish relationships and/or agreements with key vendors," Visa stated. To download the company's PDF on this subject, visit www.visa-asia.com/ap/sg/merchants/include/Responding_to_a_Data_Breach.pdf.

Fran Sachs, CIPM, CIPP/US, is Vice President of Operations and Ross Federgreen, CIPM, CIPP/US, CIPP/G, CIPP/E and Fellow, European Privacy Association, is the founder of CSR Professional Services Inc., the leading provider of global data compliance solutions and expert services that address Payment Card Industry (PCI) standards and personally identifiable information (PII) requirements. Fran can be reached at fsachs@csrps.com and Ross can be reached at rfedergreen@csrps.com. For more information or assistance in learning about the regulations applicable to you or your merchant customers' business, contact CSR at 866-294-6971 or online at www.csrps.com.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | Harbortouch | USAePay | IRISCRM.COM