Security & Privacy: What Is PII & How Is It Protected?
The definition of Personally Identifiable Information (PII) varies per country. Generally, in the United States, PII is considered data that uniquely identifies, contacts or locates a single person, including national ID, date of birth, street address, driver’s license, telephone numbers, internet protocol (IP) addresses, vehicle registration, etc.
This definition is similar to the European Union’s (EU) definition of Personal Data (PD), which is the EU’s synonym for PII. The EU’s General Data Protection Regulation states that Personal Data is “any information (directly or indirectly) relating to an identified or identifiable natural person”, whether publicly available or not.
When dealing with personal information, regardless of the country or region, data controllers should be aware of industry standards that dictate how personal information should be processed and secured. Payment processors must be aware of the Payment Card Industry Data Security Standard (PCI DSS). This rigorous standard applies to all organizations worldwide that collect, process, store, or transmit cardholder information from any card branded with the logo of one of the credit card networks.
In order to be PCI DSS compliant and protect consumers’ PII, payment processors are required to maintain the following 12 security measures:
- Build and Maintain a Secure Network and Systems.
- Install and maintain a firewall configuration to protect cardholder data.
- Use original passwords. Do not use vendor-supplied defaults for system passwords and other security parameters.
- Protect Cardholder Data.
- Protect stored cardholder data.
- Encrypt transmission of cardholder data across open, public networks.
- Maintain a Vulnerability Management Program.
- Protect all systems against malware and regularly update anti-virus software or programs.
- Develop and maintain secure systems and applications.
- Implement Strong Access Control Measures.
- Restrict access to cardholder data by business need to know.
- Every person with computer access must be assigned a unique ID.
- Physical access to cardholder data must be restricted.
- Regularly Monitor and Test Networks.
- Track and monitor all access to network resources and cardholder data.
- Regularly test security systems and processes.
- Maintain an Information Security Policy.
- Maintain a policy that addresses information security for all personnel.
The ePayments industry maintains extremely tight security regulations and practices designed to protect credit card and PII. Encryption, twelve compliance measures, and over 400 security standards set by the PCI SSC make credit card and PII safer than you likely realize. Our next article will delve into encryption, the difference between a hack and a breach, what attackers are seeking, and the truth about how difficult it is for them to find the information that they really want.
Listen to last week’s podcast, “Fees: Options to Minimize Revenue Impact? “, here.
Explore The Knowledge Center library here.