Personally Identifiable Information

Credit Card PII Security

WHAT IS CSR BREACH REPORTING TOOLKIT®?

WHAT SERVICES DOES CSR BREACH REPORTING TOOLKIT® PROVIDE?

WHEN SHOULD A VPS MERCHANT CALL CSR BREACH REPORTING TOOLKIT®?

WHAT AGENCIES DO I HAVE TO REPORT TO WHEN A BREACH OCCURS?

WHAT IS PERSONALLY IDENTIFIABLE INFORMATION (PII)?

CAN I GET COPIES OF THE BREACH REPORTING TO THESE AGENCIES?

HOW CAN MY BUSINESS BE HARMED IF PII IS LOST OR STOLEN?

WHAT IF I DON’T RECORD OR MAINTAIN ANY PERSONALLY IDENTIFIABLE INFORMATION?

WHAT ARE MY RESPONSIBILITIES TO MY INTERNAL BUSINESS OPERATION (I.E. EMPLOYEES, CONTRACTORS, ETC.)?

WHAT IS BREACH OF PII?

WHAT ARE MY PII DATA BREACH RISKS?

I BELIEVE A HACKER HAS COMPROMISED MY SYSTEM OR NETWORK. WHAT STEPS DO I TAKE REGARDING MY SYSTEM?

WHAT ARE THE REQUIREMENTS TO NOTIFY MY CUSTOMERS WHEN THEIR PII HAS BEEN COMPROMISED?

DO CREDIT-REPORTING AGENCIES (CRAS) NEED TO BE INFORMED OF A BREACH INVOLVING PII?

MASTERCARD AND VISA HAVE PAYMENT CARD INDUSTRY (PCI) RULES. WHAT IS THE DIFFERENCE BETWEEN PCI AND PII?

WHAT IS THE DIFFERENCE BETWEEN A PCI DSS BREACH AND A PII BREACH?

WHAT SI THE PURPOSE OF SENDING CONSUMER NOTIFICATIONS?

WHAT IF THE PII IN MY CARE IS ALWAYS ENCRYPTED?

WHAT IF I RECEIVED PII FROM SOMEONE ELSE AND THAT PII IS COMPROMISED?

WHO IS RESPONSIBLE FOR OVERSEEING COMPLIANCE OF THE VARIOUS SECURITY BREACH LAWS?

WHAT IS CSR BREACH REPORTING TOOLKIT®?

CSR Breach Reporting Toolkit® is an information security breach defense, preparedness, and response service that helps those utilizing Merchant payment solutions address the risks associated with handling personally identifiable information (PII) without committing all of their valuable internal resources to the cause. Forty-nine state laws as well as laws in additional jurisdictions mandate certain responsive procedures in the event that certain forms of PII in your possession are compromised. That’s where we come in.

If and when you determine that a breach of PII has occurred, or suspect a breach or loss of data, CSR Breach Reporting Toolkit® can assist you in notifying the proper authorities (including, in particular, card brands and government agencies) that data has been compromised.
[back to top]

WHAT SERVICES DOES CSR BREACH REPORTING TOOLKIT® PROVIDE?

CSR Breach Reporting Toolkit® services are designed to help you react quickly to a data breach. When PII is lost, stolen, or otherwise compromised, merchants are often confused about what steps to take to rectify the situation. But merchants must be prepared to act quickly in order to comply with applicable laws and industry standards, and in order to preserve their customers’ trust. In the event you discover a breach of PII, CSR Breach Reporting Toolkit® can help you take action to respond.
[back to top]

WHEN SHOULD A VPS MERCHANT CALL CSR BREACH REPORTING TOOLKIT®?

For the reporting of a suspected or actual breach, members should call 1-855-PII-Data (1-866-744-3282).
CSR Breach Reporting Toolkit® will report the breach to federal, state and any other governmental agencies as required.
[back to top]

WHAT AGENCIES DO I HAVE TO REPORT TO WHEN A BREACH OCCURS?

Whether and which agencies must be notified of a breach involving PII depends on the applicable law(s). Depending on the particular circumstances, you may be required to report the breach or multiple agencies or none at all. CSR Breach Reporting Toolkit® maintains a database of federal, state, and law enforcement agencies that may require reports. CSR Breach Reporting Toolkit® can also help by providing reporting to these agencies on your behalf. Reporting to federal, state, and law enforcement agencies (in addition to card brands) are included as part of our Tier I services.
[back to top]

WHAT IS PERSONALLY IDENTIFIABLE INFORMATION (PII)?

There are many different definitions of PII, and the applicable definition depends on which state law(s) apply to a particular situation. Most definitions, however, include some variation of a person’s name or initials IN COMBINATION WITH other pieces of information that can be used to identify the person, including Social Security numbers, driver’s license numbers, and financial account numbers. Some state laws further include date of birth, mother’s maiden name, biometric records, and certain medical, educational, or employment information.
[back to top]

CAN I GET COPIES OF THE BREACH REPORTING TO THESE AGENCIES?

CSR Breach Reporting Toolkit® will provide you with copies of any reporting it sends on your behalf.
[back to top]

HOW CAN MY BUSINESS BE HARMED IF PII IS LOST OR STOLEN?

Forty-six states in addition to other jurisdictions currently have laws in place that may require you to notify affected individuals (and others) in the event that PII is lost, stolen, or otherwise compromised. The ramifications of such breaches can be substantial. They can also take many forms, including costs and expenses associated with managing a breach, private lawsuits or government investigations arising from a breach, and lost consumer trust.
The financial consequences of failing to properly report a breach can also be substantial, possibly even more substantial than those associated with the breach itself. As just one example, Visa can assess fines of up to $100,000 per breach incident against merchants that fail to promptly and appropriately report the incident to Visa. You can mitigate this risk by positioning yourself to act quickly in the face of a breach. CSR Breach Reporting Toolkit® can help.
[back to top]

WHAT IF I DON’T RECORD OR MAINTAIN ANY PERSONALLY IDENTIFIABLE INFORMATION?

Many merchants do not realize that the cardholder’s name is included in the magnetic stripe of some cards, and is captured when the card is swiped at your POS terminal. (That is often how the cardholder name is printed on the cardholder copy of the receipt). As such, you may be collecting and storing information that constitutes PII through your card payment terminal terminal even if you are not expressly asking your customers to provide it. This means that if your POS terminal is breached, you could be required to notify individuals (and others) of the breach.
[back to top]

WHAT ARE MY RESPONSIBILITIES TO MY INTERNAL BUSINESS OPERATION (I.E. EMPLOYEES,
CONTRACTORS, ETC.)?

Information security and breach preparedness is not solely for those using card payment solutions. The forty-six plus security breach notification laws already in existence generally apply to any person’s PII. This means that you could be required to notify your employees, subcontractors, service providers, or others if PII about them that is in your care is compromised. (Your employees likely provided PII to you, on their employment application, before you even let them in the door for an interview.) In addition, if you act as a service provider for other companies, you may be required to notify these other companies if PII about their customers, employees, or contractors is compromised while in your care.
[back to top]

WHAT IS BREACH OF PII?

The definition of a breach or a “breach of the security of the system” varies from state to state. In many states, a “breach of the security of the system” arises from any “unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by [your] business.” In some states, however, the unauthorized disclosure or acquisition of hard copy records (in addition to computerized data) may also constitute a breach. A breach can occur in many ways, including through lost laptops or PDAs, improper disposal of paper records, or intrusion into your network or PC by hackers.
[back to top]

WHAT ARE MY PII DATA BREACH RISKS?

Occurrences of lost or stolen PII occur every day. The financial penalties for these data breaches can be significant. More serious breaches involving PII, especially those involving highly sensitive forms of PII, can result in criminal penalties. Also, your business reputation can be severely damaged. Consumer surveys cited by Visa USA indicate that approximately 79% of customers lose trust in a company that experiences a breach involving their PII, and approximately 74% say they will not continue to shop at a place where they feel their PII may be at risk. Other studies show that a data breach costs companies, on average, about $214 per compromised record.

It’s clear, then, that a breach can hurt your business in more than one way. CSR Breach Reporting Toolkit® can help you avoid these penalties and harm to your reputation by helping you position your business to fend off PII breaches in the first instance and to respond accordingly if and when one occurs.
[back to top]

I BELIEVE A HACKER HAS COMPROMISED MY SYSTEM OR NETWORK. WHAT STEPS DO I TAKE REGARDING MY SYSTEM?

CSR Breach Reporting Toolkit® cannot provide this information. Each breach (and suspected breach) is unique and the appropriate response varies accordingly. If the breach potentially involves payment card information, you may want to visit Visa’s web site (http://j.mp/VisaCISP), which provides a guide for merchants called “What to do if compromised.” Visa’s guide offers some tips and suggestions about responding to a breach of payment card information that may be useful to you.
[back to top]

WHAT ARE THE REQUIREMENTS TO NOTIFY MY CUSTOMERS WHEN THEIR PII HAS BEEN COMPROMISED?

Requirements to notify customers in the event of a breach vary from state to state. CSR Breach Reporting Toolkit® can help you identify the sources of potential legal obligations to notify customers of a breach, even though we cannot interpret these laws for you. For that, you may need an attorney. If and when you determine a breach has occurred, however, CSR Breach Reporting Toolkit®’s Tier II consulting services can help you fulfill any customer notification requirements. See our FAQ concerning CSR Breach Reporting Toolkit® Tier I and Tier II services for additional details about the services that are available to you.
[back to top]

DO CREDIT-REPORTING AGENCIES (CRAS) NEED TO BE INFORMED OF A BREACH INVOLVING PII?

There are provisions in most of the state security breach notification laws regarding reporting breaches to CRAs like Equifax, Experian, and TransUnion. CSR Breach Reporting Toolkit® maintains a data base of the applicable provisions in these state laws that details under what circumstances CRAs must be informed of a data breach, and we can help you notify them when necessary. Reporting to CRAs is a standard component of our Tier II services, and may be available for an additional fee if you are a Tier I customer. See our FAQ concerning CSR Breach Reporting Toolkit® Tier I and Tier II services for additional details.
[back to top]

MASTERCARD AND VISA HAVE PAYMENT CARD INDUSTRY (PCI) RULES. WHAT IS THE DIFFERENCE BETWEEN PCI AND PII?

PCI stands for the “payment card industry” and their data security standards protect payment card data such as the debit or credit card number, expiration date and card security code. PII, or “personally identifiable information,” is a broader category of information that encompasses both payment card information and various pieces of information that uniquely identifies, or can be used to so identify, an individual. Please see our FAQ concerning the types of information that constitute “personally identifiable information” for further details about PII.
[back to top]

WHAT IS THE DIFFERENCE BETWEEN A PCI DSS BREACH AND A PII BREACH?

The differences between a PCI DSS and a PII breach chiefly stem from the different types of information compromised in each. The particular data elements involved can significantly impact the long and short-term consequences of a breach in a variety of ways. For example, a payment card information breach often results in card fraud (e.g., unauthorized transactions) and a fine to merchants from MasterCard, Visa, or American Express. But a PII breach can be more damaging in that a person’s identity could be stolen as a result of the unauthorized acquisition of personal details about affected individuals. Perpetrators can sometimes open new credit cards, apply for loans, and establish new credit accounts with the stolen information.
[back to top]

HOW CAN I MINIMIZE THE THREAT OF PII DATA BREACH?

Almost everyone can do more to protect PII. Our Tier II services, in particular, are designed to help you do just that. Our Tier II services offer a comprehensive suite of breach defense, preparedness, and response products for merchants who want us be very involved in the process from start to finish. In addition to the full suite of Tier I services (such as our monthly newsletter), Tier II customers can take advantage of our consulting services concerning (1) appropriate merchant payment solutions safeguards for PII, (2) forensic evaluation of particular breach incidents, and/or (3) responding to affected individuals and other necessary parties (beyond card brands and government agencies) when PII is compromised.

In addition, if you store, process or transmit payment card information, for example, you must become PCI compliant to help ensure that you are adequately protecting the information received through your card payment terminal and networks that may be involved in the processing of payment card information. Our PCI ToolKit product can help with that. The PCI ToolKit walks you through your annual PCI Self-Assessment Questionnaire as required by the PCI Security Standards Council. For more information about the PCI Toolkit, please visit the Web site at www.pcitoolkit.com.
[back to top]

WHAT IS THE PURPOSE OF SENDING CONSUMER NOTIFICATIONS?

While the risk may be difficult, or impossible, to quantify, the unauthorized acquisition of sensitive PII by a third party potentially increases the risk that an individual will be victimized by fraud or some form of identity theft. Telling individuals that their PII has been, or may be, exposed to an unauthorized third party allows them to take proactive steps to protect themselves from identity theft and other forms of fraud. Such precautions can include canceling compromised credit or debit cards, placing a fraud alert on consumer credit reports, or simply reviewing financial account statements more carefully. Regardless whether notice recipients elect to take any additional precautions, they will be in a better position to make an informed decision about them if they receive notice of a breach. Consumer notifications can also be an opportunity for you to let the affected individuals know that you care about their privacy and are willing to help them understand what happened and how their PII was exposed.
[back to top]

WHAT IF THE PII IN MY CARE IS ALWAYS ENCRYPTED?

Virtually all jurisdictions have mirrored California’s exemption from breach reporting and notification when PII is encrypted or otherwise rendered secure. So, you may not have to notify affected individuals (or others) if PII in your care is encrypted. While “encryption” is not defined in some of the state security breach notification laws, it generally requires that PII be transformed into a form in which there is a low probability of assigning meaning to it without use of a confidential process or key. Some states, however, require that PII be encrypted or secured using particular technologies or processes in order for this notification exemption to apply. CSR Breach Reporting Toolkit® maintains a list of state laws that do not apply to encrypted PII.
[back to top]

WHAT IF I RECEIVED PII FROM SOMEONE ELSE AND THAT PII IS COMPROMISED?

If PII belonging to another organization is compromised while in your care, you may be required to notify that organization of the compromise. Most state laws place the ultimate responsibility for notifying consumers of a breach on the “owner” or “licensee” of PII, but others who receive or maintain this information are typically required to promptly (or immediately) notify the owner or licensee after discovering a breach of PII so that the owner or licensee can take action accordingly. In addition to the obligation to notify the owner or licensee of a breach, you may also be required to cooperate with the data owner or licensee by, among other things, providing to the owner or licensee relevant details about the breach incident and about any remedial measures being taken. Even where notice to the owner or licensee is not legally required, it may be appropriate depending on your relationship with the owner or licensee.
[back to top]

WHO IS RESPONSIBLE FOR OVERSEEING COMPLIANCE OF THE VARIOUS SECURITY BREACH LAWS?

As a general rule, the various state attorneys general and other state regulatory bodies are responsible for enforcing and overseeing compliance with state security breach notification laws. But in some states consumers who are harmed by a violation of the state’s notification law may bring a private lawsuit to enforce the law and recover damages for a violation.
At the federal level, this responsibility is principally vested in the Federal Trade Commission, the Consumer Financial Protection Board, and the Department of Health and Human Services (for healthcare-related entities). The consequences of failing to comply with applicable breach notification obligations can be significant, and will likely only result in additional frustration in the wake of a breach. Several companies have already found this out the hard way. CSR Breach Reporting Toolkit® can help you avoid becoming another example of what not to do.
[back to top]