Armor-Plating Personally Identifiable Information

An unprecedented deluge of personally identifiable information (PII) is right now coursing between government agencies, financial institutions (FIs), individuals and business owners, as tens of millions apply for new CARES Act funding under the Payroll Protection Program (PPP), in the form of emergency Small Business Administration (SBA) loans with few strings attached.

For most, it’s a nightmare.

For cybercriminals, however, it’s probably the greatest theft opportunity they’ll ever see.

“The COVID-19 pandemic is changing consumer buying habits and patterns … they’re moving to a more digital environment … and things are [never] going to go back to the way they were,” Fiserv Vice President of Global Merchant Security and Fraud Timothy Horton told PYMNTS.

“Merchants are now going to have even more of consumers’ personal information, which needs to be protected,” he said. Pointing to major data breaches (like Marriott) that hit even as COVID-19 began its grim ascent, Horton said the pandemic has created “… a perfect opportunity [for cyberfraud] as merchants are changing the way they sell to their consumers. Consumers are changing the way they buy. There’s more personal information out there. Part of the merchant strategy needs to be, how do I protect that information as I’m gathering and using it?”

Fiserv addressed that question with its TransArmor® Personal Data Protection solution, which has extended tokenization to all consumer data, in motion and at rest. Horton explained that in the past, PII data has been treated as less guarded than cardholder data. It’s been a major access point for hackers, and therefore a primary focus of Fiserv’s new TransArmor® solution.

“If you think about what we’ve done with our encryption and tokenization product today, protecting data in transit and at rest, merchants now will be able to protect their consumers’ personal information in transit and at rest, every couple minutes,” Horton said.

PCI compliance for PII is part of the solution’s appeal, in light of the multitude of new attack vectors, Horton and others anticipate after the COVID-19 emergency abates. “Personal information or consumer information does not fall under the PCI guidelines,” Horton noted, “but if you think about international regulations like GDPR or even federal and state regulations related to privacy, you’ll be able to use this solution” to help comply with those laws.

“We look at what’s happening from a breach perspective … and almost all of them in fact have some sort of consumer or personal information” as part of it, he said. Merchants “need to be protecting the consumer’s [personal] information as much as cardholder information, not only for financial losses, but to maintain and gain trust with their consumers.”

The cloud-based TransArmor® solution allows merchants to integrate an application programming interface (API) into their system for encryption and tokenization of all PII databases. When PII needs to be reviewed, it is unencrypted, viewed and then encrypted again upon re-storage. Horton says it’s a fundamental change in how PII is handled across verticals, and Fiserv has some ideal starting places in mind.

Common situations where PII is exchanged and exposed — the more vulnerable verticals such as grocery stores, gas stations, quick-service restaurants and any retail business with a loyalty program — will “… be our initial phase,” Horton said, “and later in [2020], we’ll roll out to healthcare and government” to protect their vast databases of consumers’ PII and healthcare information.