Retailers may garner more than just financial information during customer transactions. They are often able to gather sensitive information – like address and phone number – that can be shared with business partners to boost revenue potential. Data breaches and poor security controls are putting that same personally identifiable information (PII) into the hands of cyberthieves.
According to the National Cybersecurity Center of Excellence (NCCoE), there’s evidence that PII is now worth much more on the black market than credit card numbers and that the implementation of EMV in the U.S. will likely shift fraud away from the use of counterfeit credit cards – to the use of real credit cards obtained by using fake or stolen identities and the use of stolen credit card data for card-not-present transactions.
Regulations and standards around protecting PII have emerged overseas, but not so much in the U.S. So, the NCCoE is taking public comment on a project around securing non-credit card and sensitive consumer data.
“This project aims to demonstrate that a retailer can implement protections for its data as it is shared internally, with consultants and with third-parties, and that the best practices shown demonstrate the value of implementing national or international standards within commercial and open source products,” saysBill Newhouse, senior security engineer at the NCCoE, who co-authored the project report. “Data masking, tokenization, and cryptographic techniques are currently being used today. So our aim is to demonstrate that there is an ecosystem of existing technologies and best practices that will make it easier for retailers to add these techniques to their data protection practices.”
Public comments are being accepted until June 3, and a draft practice guide will be produced. By the end of the year, the NCCoE wants to establish an architecture and begin to build the lab environment for this project, as well as the “Multifactor Authentication for e-Commerce” project. “The early part of 2017 would be spent in the lab getting our project to work, documenting our progress in a very detailed manner, and publishing those details in a Practice Guide,” Newhouse says.