PCI DSS: What is PII?

TL;DR

The Payment Card Industry Data Security Standard (PCI DSS) doesn’t directly define Personally Identifiable Information (PII). However, it focuses on protecting cardholder data. Understanding what constitutes cardholder data – and how it overlaps with PII – is crucial for compliance. This guide explains the boundaries of PII in relation to PCI DSS.

1. What is Cardholder Data?

PCI DSS specifically targets this information:

• Primary Account Number (PAN): The 16-digit card number.
• Cardholder Name: As printed on the card.
• Expiration Date: Month and year.
• Service Code: A three or four-digit code indicating the card type.
• CVV/CVC2/CID: The security code on the back of the card (never store this!).

Any system that stores, processes, or transmits these elements falls under PCI DSS scope.

2. What is Personally Identifiable Information (PII)?

PII is any data that can identify an individual. This is much broader than cardholder data and includes:

• Name
• Address
• Date of Birth
• Email Address
• Phone Number
• Social Security Number (where applicable)

PII is governed by various privacy regulations like GDPR, CCPA, and others.

3. Where PCI DSS and PII Overlap

The overlap occurs when PII is used in conjunction with cardholder data. For example:

• Customer Records: If a database contains both PANs and customer names/addresses, the entire record is likely within PCI DSS scope.
• Transaction History: Linking transaction details (including PAN) to a specific customer’s name creates an overlap.
• Marketing Lists: Combining cardholder data with marketing information falls under PCI DSS regulations.

4. Minimising PII Storage

The best approach is to minimise the storage of PII alongside cardholder data. Here’s how:

1. Tokenisation: Replace sensitive PANs with non-sensitive tokens. This means you don’t store actual card numbers.

   # Example Tokenisation (Conceptual)

2. Encryption: Encrypt cardholder data both in transit and at rest. Use strong encryption algorithms.

   openssl enc -aes-256-cbc -salt -in sensitive_data.txt -out encrypted_data.enc

3. Data Masking: Obscure parts of the PAN (e.g., show only the last four digits).

   # Example Data Masking (Python)

4. Segmentation: Isolate systems storing cardholder data from other systems containing PII.
5. Reduce Retention: Only store cardholder data for as long as absolutely necessary.

5. PCI DSS Scope Considerations

Even if you don’t directly store PII, consider these scenarios:

• Access to Systems: If someone with access to cardholder data also has access to PII systems, your scope expands.
• Shared Infrastructure: Shared servers or networks handling both cardholder data and PII require careful security controls.

6. Regular Assessments

Conduct regular vulnerability scans and penetration tests to identify potential risks related to cardholder data exposure. Ensure your cyber security team is aware of the overlap between PCI DSS and PII regulations.