Skip to content

Protecting PII and PCI Compliance—Where the Two Intersect

High rise glass building

Securing sensitive customer information is paramount in ensuring compliance and protecting against data breaches.

As cybercrime damages mount, regulators keep tightening standards for companies that handle client data, particularly personal information.

Cybercriminals pursue personal information especially vigorously because of its value. Thieves can use stolen information to steal from individuals and cripple companies.

Annual cybercrime damages are projected to reach $6 trillion by 2021, double what they were in 2015, according to the 2017 Annual Cybercrime Report from Cybersecurity Ventures. The average cost of a data breach globally increased 6.6 percent to $3.86 million in 2018, according to the 2018 Data Breach Study conducted by Ponemon Institute.

Just as they are prime targets for thieves, personally identifiable information (PII) and payment card industry (PCI) data are the focus of most organizations’ security efforts. Protecting sensitive information such as social security numbers and payment card accounts is especially important for organizations that are responsible for clients’ data, such as large retail, banking, healthcare, and software-as-a-service (SaaS) companies.

Protecting PII and maintaining PCI compliance starts with knowing where the two intersect.

Defining PII

Any information that a thief could use to identify someone is considered to be PII, and thus subject to appropriate security standards. The specific measures for keeping PII safe and penalties for non-compliance vary by the type of data and the industry to which an organization belongs.

Common examples of PII include social security numbers, biometric records, email addresses, and birthdates. Information that is tied to a particular person, such as a social security number or passport, is considered to be sensitive.

PII that may be shared among individuals, such as an address for a home that someone shares with family members, is considered to be non-sensitive. However, this kind of information can be used to confirm ownership of sensitive data, thereby increasing the risks associated with exposure.

Alarmingly, a person’s gender, zip code, and birthdate are enough to identify 63 percent of the US population, Sherpa Software noted in “An Introduction to PCI and PII,” citing a study by researchers for Stanford University.

Defining PCI’s Sensitive Data: Cardholder Data

The PCI Security Standards Council (SSC) developed the Payment Card Industry Data Security Standard (PCI DSS) in 2004 to combat credit card fraud. Maintaining PCI compliance demonstrates that your company is as protected as it can be from security breaches. This allows your company to keep operating.

The PCI DSS applies to all merchants and vendors that handle card data, including those that accept or process payments made through printed forms, over the phone, in person, or online.

The PCI DSS provides standards for the processes and systems that merchants and vendors use to protect information. This information includes:

  • Cardholder data such as the cardholder’s name, the primary account number, and the card’s expiration date and security code.

  • Sensitive authentication data, including magnetic-stripe data, the equivalent data contained on a chip, and PINs.

All such information must be guarded per PCI DSS requirements when in the cardholder data environment (CDE). PCI standards help organizations mitigate vulnerabilities in areas such as card readers, point of sale systems, databases, call recording software, and online portals.

PCI DSS requirements provide a framework to comprehensively audit your IT security posture so that you protect card data from loss and misuse as it is collected, stored, processed, and transmitted. Compliance becomes a byproduct of your data security when you implement your security posture correctly.

How Should Both Be Properly Managed?

Minimizing the handling of PII and PCI is the best way to protect sensitive data. That is, if you don’t need it, don’t collect, store, or transmit the information.

If your organization must handle sensitive data, identifying it, establishing standards for protecting it, and building company-wide awareness of those protections will help you manage it properly.  

InfoSec Institute recommends implementing the following PCI DSS requirements in the PII lifecycle, per an article on where PCI DSS and PII intersect.

  • Collection. Secure PII at collection points such as websites and point-of-sale systems by using technologies such as Transport Layer Security (TPS).

  • Storage. Protect stored data by masking the Permanent Account Number (PAN) when it is displayed and rendering it unreadable when it is stored—through cryptography, for example.

  • Transmission. Use strong cryptography and security protocols to safeguard sensitive cardholder data as it is sent over networks.

Back-Up. Apply the same security standards that you have adopted in your cardholder data environment (CDE) to other systems that store sensitive information, including your backup systems.

Destroy. Only store data with a business purpose. Delete all other sensitive data.

When Do They Intersect?

PCI DSS covers PII when it is related to cardholder data, such as the PAN, cardholder name, service code, and card expiration date, according to InfoSec Institute. It also covers sensitive authentication data such as a card PIN.

When Do They Not?

PCI DSS does not extend to PII that is not cardholder data. For example, protected health information (PHI), including diagnoses and lab test results, are covered by healthcare industry standards.

You must protect your customers’ sensitive information in order to maintain compliance and stay in business. Knowing where protecting PII and PCI intersect can help.