When Focusing on PCI,
  Don’t Lose Sight of Privacy

by Heather Mark

    Compliance with the Payment Card Industry Data Security Standard, commonly known as the PCI-DSS or more simply as the PCI Standard, has been at the forefront of many companies’ data security efforts over the past year (or several years). The card brands are enforcing compliance with the PCI-DSS and it seems that in every industry publication or during any industry event, there will invariably be a topic related to compliance with the PCI Data Security Standard. With so much focus being placed on the PCI-DSS, it is easy to forget that there are broader, but equally important, privacy issues that should be considered.
    Without a doubt, some readers are asking: “If I comply with the PCI- DSS, doesn’t that ensure that I am compliant with the other laws and regulations related to privacy?” The short answer is “No”. It is important to recognize the divergence between the focus of the PCI- DSS and the obligations to protect sensitive, personal information. The PCI-DSS is focused on the protection of only one category of data, namely what is defined by the card brands as Cardholder Data. The question is often asked: “What is considered cardholder data and how does that differ from personally identifiable information?”
    Cardholder Data is defined by the PCI-DSS as the full magnetic stripe data or the Primary Account Number (PAN) AND any of the following: cardholder name, or expiration date. The PCI-DSS states that the PAN is the defining factor as to whether or not the data stored is classified as cardholder data and thus subject to the PCI-DSS requirements. According to the PCI-DSS, the cardholder name, service code and expiration date “…must be protected if stored in conjunction with PAN. This protection should be per PCI DSS requirements for general protection of the cardholder environment.” In addition, the PCI-DSS states that the company must ensure that they do not store the authentication data. Authentication data is defined as the full magnetic stripe data, the CVV2/CVC2/CID and the PIN or PIN block. “Do not store sensitive authentication data subsequent to authorization (not even if encrypted).” In addition, the PCI-DSS makes the statement that: “PCI DSS; however, does not apply if PANs are not stored, processed, or transmitted.”
    Based upon the various definitions it is clear that Cardholder Data is defined by the Primary Account Number (PAN). Consider the following two examples.

    Example 1
    Company A captures the PAN, cardholder name, and address (from the AVS) and stores them in separate columns in a common database table. This information is all considered Cardholder Data by definition of the PCI and is required to be protected in accordance with the PCI Requirements. Specifically, this means that the PAN (at a minimum) must be ‘rendered unreadable’ by encryption or other means and the other data elements must be protected using the general controls of the PCI-DSS. This includes firewalls, logical and physical access controls, IDS, and so on.

    Example 2
    Company B captures the PAN, customer name, and address (from AVS) and stores the PAN and cardholder name in separate columns in a common database table. The cardholder name, and address are also transmitted to a second database that is logically segregated from the one housing the PAN. In this example, the PAN and customer name contained in the first database is considered Cardholder data and must be protected as described in example 1. The cardholder name and address transmitted to the second database is NOT considered cardholder data by the PCI Standard and therefore is not required by the PCI Standard to be protected.
    For those readers who are breathing a sigh of relief at their belief that they are exonerated from protecting this data, it is important to consider data, other than the PAN, that may be stored. The PCI has taken a new approach to this data and makes reference to privacy legislation in the same definition of Cardholder data. The standards specifically states:
    “Additionally, other legislation (e.g., related to consumer personal data protection, privacy, identity theft, or data security) may require specific protection of this data, or proper disclosure of a company’s practices if consumer related personal data is being collected during the course of business.”
    The rule of thumb then becomes: cardholder name, expiration date, and service code that is stored with the PAN is considered Cardholder data and any other sensitive data that is not stored with the PAN is considered personal data that should be protected in accordance with the privacy laws and regulations.
    Now that a basic understanding of that which constitutes Cardholder data and that which does not has been established, it is easier to understand what else must be protected. When discussing privacy many people have various definitions. Privacy is admittedly not well defined by either our Constitution or law. In general, the most commonly held definitions, according to the International Association of Privacy Professionals are 1) the control of personal events, such as the use of birth control; 2) the freedom from intrusion such as the current argument being made over the NSA wiretapping; and 3) the control of information such as the right to keep personal information private. In short, privacy is the appropriate use of information. ‘Appropriate use’ is defined by laws, public sentiment, and circumstances. Most businesses are largely concerned with the legal implications of running afoul of some law or regulation.
    While there exists a number of definitions for personal information, the definition used here will the one provided by the Privacy Preferences Project (P3P) which defines Personally Identifiable Information (PII) as: “…any piece of information which can potentially be used to uniquely identify, contact, or locate a single person.” Using this definition, it is understood that the cardholder name and address in Example 2 is considered PII and thus required to be protected. As there are a number of federal and state laws that apply to the protection of personal information, we will not focus on those in this article and will instead focus on a few key privacy concepts and definitions.
    One of the most important concepts that must be understood by companies that store personally identifiable information is that of Notice. A notice is a description of an organization’s information management practices and how collected personal data is used and protected. Specifically, notices describe 1) what information is collected 2) how the information is used 3) how and to whom the information is disclosed 4) how to exercise any choices that may arise with regard to disclosures (opt out, for example) and 5) whether the individual can access or update the information. Arguably, the most common form of notice is that of the website Privacy Policy. The Privacy Policy should list what is collected, how it is protected, and how it will be used. In general the primary purpose of notices is to educate consumers and ensure corporate accountability.
    At this point many readers may be asking why notices are a critical component of privacy. There are two very important reasons. First, according to the Information Association of Privacy Professionals “A privacy notice is a contract if the consumer provides data to the company based on the company’s promise to use the data in accordance with the terms of service.” As such, a company’s violation of their privacy notice could result in legal claims - for breach of contract.
    The second, and arguably more critical, aspect of the privacy notice is the risk of being sued for Unfair and Deceptive Trade Practices by a government regulatory agency. If a company promises something in their privacy notice and then does not support that promise, the Federal Trade Commission may sue that company for Unfair and Deceptive Trade Practices. A very tangible example of this is the case of was found to be vulnerable (not hacked, simply vulnerable) to a common exploit known as SQL Injection. Because their website promised that customer data was protected, the FTC successfully sued for Unfair and Deceptive Trade Practices.
    The concepts of security and privacy, while not synonymous, are inextricably entwined. A security vulnerability may expose personally identifiable information, resulting in a privacy breach as well as a security compromise. It is essential that companies are aware of all the data that is resident in their systems and the ways in which that data is handled. The process of complying with the PCI standard allows companies an opportunity to evaluate not only the way in which data is stored, but the ways in which that data is collected, shared and used. The onset of federal regulation and the greater level involvement from the FTC have made data privacy practice more relevant than ever. This article is the first in a series that will attempt to answer the questions surrounding the intersection of privacy and security. Future articles will also expand upon the regulations surrounding privacy considerations of which companies should be aware.