Date Published: May 9, 2016
Comments Due:
Email Questions to:
Author(s)
William Newhouse (NIST), Sarah Weeks (MITRE)
Announcement
The National Cybersecurity Center of Excellence (NCCoE) has posted a draft Project Description on the topic of Securing Non-Credit Card, Sensitive Consumer Data.
Retailers easily gather sensitive data during typical business activities, such as date of birth, address, phone number, and email address, which can be used by various internal users and external partners to accelerate business operations and revenue. There has been an increase in the value of non-credit card, sensitive consumer data on the black market; however, there are relatively few regulations or standards specific to this topic in the consumer-facing/retail industry in the United States. As seen following high-profile data breaches in the healthcare sector, personally identifiable information (PII) is valued at up to 20 times more than credit card data, with a single credit card number sold at $1 and the average individual's PII sold at $20.
This project and its example solution will help secure non-credit card, sensitive consumer data through data masking and tokenization, coupled with fine-grained access control to improve the security of data transmitted and stored during commercial payment transactions, as well as data shared internally within a retail organization and externally with business partners.
As a result of payment card industry standards and a strong understanding of the value of valid credit card information in the black market, the retail industry has already invested in security mechanisms to protect credit card data, also referred to as cardholder data. However, this cardholder data is not the only valuable consumer information that is transmitted and stored by retailers. Other data that can be personally identifiable and is transmitted and stored in this ecosystem includes but is not limited to: consumer purchasing habits (including geographical locations, preferences, search history), date of birth, home or business address, phone number, email address, user id, password, IP addresses, and Social Security Number. As seen following high-profile data breaches in the healthcare sector, personally identifiable information (PII) is valued at up to 20 times more than credit card data, with a single credit card number sold at $1 and the average individual’s PII sold at $20. In collaboration with stakeholders in the retail and commercial payment ecosystem, the NCCoE has identified that implementing data masking and tokenization, coupled with fine grained access control such as Attribute Based Access Control2, may significantly improve the security of PII transmitted and stored during commercial payment transactions, as well as PII shared internally within a retail organization and externally with business partners. Building on this collaboration with the business community and vendors of cybersecurity solutions, the NCCoE will explore methods of effectively masking and tokenizing PII during commercial payment transactions and develop an example solution composed of open-source and commercially available components to address these real-world business challenges. This project will produce a NIST Cybersecurity Practice Guide—a publically available description of the solution and practical steps needed to implement practices that more effectively secure the handling of non-credit card, sensitive consumer data.
As a result of payment card industry standards and a strong understanding of the value of valid credit card information in the black market, the retail industry has already invested in security mechanisms to protect credit card data, also referred to as cardholder data. However, this cardholder data...
See full abstract
As a result of payment card industry standards and a strong understanding of the value of valid credit card information in the black market, the retail industry has already invested in security mechanisms to protect credit card data, also referred to as cardholder data. However, this cardholder data is not the only valuable consumer information that is transmitted and stored by retailers. Other data that can be personally identifiable and is transmitted and stored in this ecosystem includes but is not limited to: consumer purchasing habits (including geographical locations, preferences, search history), date of birth, home or business address, phone number, email address, user id, password, IP addresses, and Social Security Number. As seen following high-profile data breaches in the healthcare sector, personally identifiable information (PII) is valued at up to 20 times more than credit card data, with a single credit card number sold at $1 and the average individual’s PII sold at $20. In collaboration with stakeholders in the retail and commercial payment ecosystem, the NCCoE has identified that implementing data masking and tokenization, coupled with fine grained access control such as Attribute Based Access Control2, may significantly improve the security of PII transmitted and stored during commercial payment transactions, as well as PII shared internally within a retail organization and externally with business partners. Building on this collaboration with the business community and vendors of cybersecurity solutions, the NCCoE will explore methods of effectively masking and tokenizing PII during commercial payment transactions and develop an example solution composed of open-source and commercially available components to address these real-world business challenges. This project will produce a NIST Cybersecurity Practice Guide—a publically available description of the solution and practical steps needed to implement practices that more effectively secure the handling of non-credit card, sensitive consumer data.
Hide full abstract
Keywords
tokenization; access control; ABAC; attribute based access control; PII; consumer data; retail; data masking; e-commerce
Control Families
Access Control; System and Communications Protection