Andy Grove (CEO of Intel) once said, “Privacy is one of the biggest problems in this new electronic age.” And while that sounds appropriate today with directives like the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), he also said, “Only the paranoid survive,” which is how many cybersecurity personnel feel these days.
This blog entry was started with a question received from a client: “Can I extend PCI to make it my privacy protection scheme?” Caught off guard, my first reaction was, “Uh, do what?” Without much fanfare - there begins my journey down the path of privacy. The first thing that hit me is this is a really big deal. I don’t make predictions, but from what I can see, the winds are blowing pretty hard in the direction of privacy, so all of us better raise our sails and join in the race or get left behind.
The aim of the PCI Data Security Standard (DSS) is payment card security and was created to increase controls around cardholder data to reduce credit card fraud.
Payment card numbers are one of the elements on the NIST personally identifiable data (PII) list, in that you can identify a person if you have the primary account number (PAN). While those two points support that you simply could expand the list of protected data to include other PII, that overlooks the fact that the DSS is considered a baseline and specific for payment card data. You can use the DSS as a blueprint for your security program as it is a cybersecurity standard, but contrary to popular belief, privacy and cybersecurity are not one in the same.
I consulted the NIST Privacy Framework, and that document makes a pointed fact that there is cybersecurity risk and there is privacy risk.
“While managing cybersecurity risk contributes to managing privacy risk, it is not sufficient, as privacy risks can also arise by means unrelated to cybersecurity incidents….” Cybersecurity risk deals with protection of the Confidentiality, Integrity, and Availability of data. Privacy risk deals with “The likelihood that individuals will experience problems resulting from data processing, and the impact should they occur.” See the difference? Cybersecurity risk is about protecting the data, whereas privacy is about the individual and data about the individual. One of the actions performed on privacy data is protecting it using cybersecurity methods, but the aim is vastly different. Due to that fact, the NIST Privacy Framework introduces new terms and methods, lots of them. I’m going to warn you, as a cybersecurity warrior, it’s going to take some thinking outside the box to fully understand it and to start wrapping your head around it.
For instance, say you go to a store and on checkout they ask if you want your receipt emailed. You think this is a great idea. It will make it easy to file an expense report. So you put in your email address, grab your stuff and go about your way. Then you notice the next day that you’re getting emails trying to sell you other items from that store, so you unsubscribe. A day later you see emails from other vendors for similar items. Was that what you intended when you gave the store your email address? No, you wanted your receipt sent to you. The vendor(s) may be protecting your email address fastidiously with encryption, file change detection, access controls, etc., but you didn’t want to get emails from the vendor or their competitors. And when you unsubscribed, they dutifully took you out of their database, but then promptly sold your email address to a competitor. While my example is simplistic, it happens all the time. You can understand why regulators in Europe created GDPR and California created the CCPA.
To bring this full circle and answer the original question, “Can I extend PCI to make it my privacy protection scheme,” the short answer is ‘No.’ There are many elements of privacy risk that simply are not covered by PCI. Privacy risk addresses information about you, in the example above, the email you used and products you bought at the store, where PCI (read: cybersecurity) risk is strictly concerned with protection of the payment card information you paid for the products with. Using privacy terms, your email and the products you bought were collected at the time you concluded your shopping experience. You did not intend to have your email, nor your product preferences grabbed, but they were collected as a result of the transaction. PCI cybersecurity risk has no provisions in this area, it is only concerned with making sure the data is protected from prying eyes when the payment card data is captured for the single use of making a payment.
Likewise, aggregation is a broader privacy risk function which encompasses these actions.
- Data aggregation with other data, much of which is publicly available, that could broach privacy. The PCI DSS has no requirements around data aggregation.
- Identification which even if they didn’t have your email in our example, the identification of an individual can be determined from different data sources pulled together. The PCI DSS has no requirements concerning identification of the individual.
- Data security, something PCI is very good at, is the insecurity of the data through an unwanted release. The PCI DSS is primarily aimed at preventing data release through breaches, as we will discuss below, but as you will see it’s only a single part of the privacy ecosystem.
- Secondary use, as seen in our example above, is where data gathered for an agreed use by the individual is used without the informed consent of the person. PCI does not have requirements around secondary use of the data.
- Exclusion, which is the use of the person’s data without giving them an opportunity to manage or participate in its use. The PCI DSS does not have requirements concerning how data is used outside of the obvious that the data is used for exchange of payment when purchasing goods and services.
Information dissemination is where data shared by an individual in confidence is released or threatened to be released which may harm the person. While the release of cardholder data can result in potential liabilities through use of the card data, the PCI DSS doesn’t specifically address embarrassment, the loss of reputation or unfavorable credit reporting that may come about by the release of card data.
A follow-on to insecurity is an invasion of privacy, which in the case of payment card data would be a breach. The PCI DSS primary goal is to prevent invasion through logical and technical controls, but the intent of privacy risk analysis is much broader in that it is concerned with ‘decisional interference’ where the invasion by the external party is intent on changing the private decisions of the individual whose data has been captured. The PCI DSS does not go into these areas at all.
My intent with this blog post wasn’t to turn you into a data privacy expert.
That my friend will take some reading; lots of reading. Both PCI and privacy are equally important and by being compliant with PCI, you are covering your bases for parts of your privacy risk, but not in its entirety. You can successfully protect other data elements using the same requirements found in the PCI DSS, but privacy is a much, much broader picture. I suggest you take a step back, put together a holistic approach and build a data privacy program from the ground up. There are good sources to help you get started at NIST and ISO, but like I said, it’s going to take a lot of reading and analysis on your part.
Drew Cathey has been a member of the SecureTrust team for 5 years and has been in IT for 35 years. Coming from a background in telecommunications IT operations, he has held positions in engineering, project management and IT security. Drew holds degrees in biology, engineering and an MBA in Information Technology management along with PMP, CISSP, CISA and QSA certifications. He resides in St. Petersburg, FL with his two children and enjoys running, bicycling and tennis.