The nature of sensitive data is that almost any data can become sensitive when it is combined with other data.
In a previous installment in our RFPs & Rising Technology Demands series, we examined an expansive set of requirements that’s likely to be included in almost any RFP seeking digital commerce: Security.
The installment categorized security requirements into six areas: sensitive data and consumer privacy, payment processing and PCI DSS, access control and authentication, data security and service levels, policies and controls, and insurances.
The first of these, sensitive data and consumer privacy, the focus of this installment, is expansive in its own rite. The nature of sensitive data is that almost any data can become sensitive when it is combined with other data, which creates a near de facto requirement that all data must be considered sensitive and safeguarded by appropriate protections. This is the nature of Personally Identifiable Information (PII). Cardholder data, meanwhile, is a specific type of PII that introduces an added set of security requirements, most notably Payment Card Industry Data Security Standards (PCI DSS). At the same time, emerging consumer privacy laws are elevating expectations for privacy and transparency and, even when these laws don’t apply by the letter of the law, they are often cited as the privacy standard.
This installment of our RFPs & Rising Technology Demands series examines sensitive data and consumer privacy, including PII, cardholder data and consumer privacy laws that are often cited in RFPs seeking digital commerce.
RFP Security Requirements: Personally Identifiable Information (PII)
A single piece of information can reveal an individual identity, but it’s more likely that a combination of information reveals an identity. Therefore, the concern of personal data protection becomes protecting a wide variety of information with a comprehensive approach.
Personally Identifiable Information (PII) is information that can be used to identify an individual, whether the information is used alone or combined with other information (e.g. SSNs, name, DOB, home address, home email).
A single piece of information can reveal an individual identity, but it’s more likely that a combination of information reveals an identity. Therefore, the concern of personal data protection becomes protecting a wide variety of information with a comprehensive approach that includes policies, training, controls, monitoring, notifications, and more. Security requirements in an RFP may touch on any of these.
In terms of policies for security, RFPs commonly ask for basics like a Privacy Policy that spells out how consumer data is collected, processed, stored, and protected; a Data Breach Notification Policy that establishes what an organization does when anyone besides an authorized person accesses PII; and Terms of Use or a Master Services Agreement that spells out what’s expected of customers when they use a vendor service, such as an ecommerce website.
Beyond policies, an RFP’s security requirements may include infrastructure criteria, such as physical safeguards at server facilities; monitoring and testing methods and frequency to help ensure systems don’t become vulnerable; staffing criteria like employee training to prevent data vulnerabilities; and access control such as password and permissions standards.
Almost any information can become Personally Identifiable Information and so a wide range of information must be protected. An RFPs security requirements are likely to seek comprehensive data protection.
How the Security of Cardholder Data is Addressed in RFPs
Cardholder data includes PII like names and addresses but adds to it potentially even more sensitive information.
While Personally Identifiable Information is a sweeping security consideration that in RFP security requirements, a specific type of PII stands to elevate the considerations.
Cardholder data, information about customers using a payment card to make online purchases, includes PII like names and addresses but adds to it potentially even more sensitive information such as the card number, expiration date, and security code, which could be abused in the wrong hands.
Any RFP that calls for digital commerce will have to take account cardholder data security, specifically payment card processing and the standards that come with it, raising a whole new set of security considerations, most notably Payment Card Industry Data Security Standards (PCI DSS).
PCI DSS includes 12 standards comprised of roughly 250 requirements and an RFP for digital commerce is virtually certain to include assurances those standards are met either by the vendor or the third-party that handles payment processing for the vendor. (PCI DSS is a broad topic in its own right and is covered more extensively elsewhere in our RFPs & Rising Technology Demands series.)
The RFP issuer may or may not specify who handles payment processing, although most vendors are likely to entrust payment processing to a third-party specialist, such as USAePay. Even with third-party processing, there’s still the matter of the cardholder data that potentially passes through the vendor and how that will be protected. The RFP may request payment card Tokenization, where the vendor holds a random code that stands in for the cardholder data for processing purposes while the actual card data resides with the third-party.
Consumer Privacy Laws are Often the PII Security Standard for RFPs
even when companies aren’t technically bound by the consumer privacy laws, an RFP’s security requirements may cite one of the regulations as the privacy standard anyway.
Recent years have seen a rise in consumer privacy laws not only to protect PII and payment card data but to provide consumers a host of other assurances about how their data is collected, processed, stored, potentially sold, and protected.
Perhaps the best known consumer privacy law is the General Data Protection Regulation. The GDPR calls for seven principles of data handling including lawfulness, fairness and transparency; limited purpose; data minimization; accuracy; limited storage; security; and accountability. It was adopted by the European Union in 2018 and gave rise to a number of other consumer privacy laws worldwide, including the California Consumer Privacy Act (CCPA), adopted in 2020 and sometimes called GDPR-lite.
Also among emerging consumer privacy laws are Right to Erasure or so-called "Right to Be Forgotten” laws or provisions, which were included in the GDPR and have gained greater adoption either as law elsewhere or as a privacy standard in commerce. Such laws allow consumers to demand that a vendor or service provider delete data and history about the consumer.
Whether or not a company does business in Europe, California, or a jurisdiction that’s legally bound by these consumer privacy laws, the laws have led to consumers having a greater expectation of privacy and transparency about what data is collected about them. From the business perspective, companies want to meet the consumer expectation and not lose market share to companies who do meet the expectations.
Therefore, even when companies aren’t technically bound by the consumer privacy laws, an RFP’s security requirements may cite one of the regulations as the privacy standard anyway.
Data Security Standards Found in RFPs Require a Comprehensive Approach
Understanding the security requirements that the RFP is likely to seek for sensitive data is a first step toward implementing the data protections and winning the business.
While security requirements are a sweeping consideration within RFPs, sensitive data is a sweeping consideration within security.
Since Personally Identifiable Information is not just a single type of information but any piece of information that can be combined with another piece of information to individually identify a person, a large set of data must be considered sensitive data. The approach to protecting that data is likewise comprehensive.
Cardholder data is also PII but introduces new layers of comprehensive safeguards, namely Payment Card Industry Data Security Standards, considerations of who processes payments, and potential requirements for tokenization that encrypts cardholder data.
Meanwhile, an increasing number of consumer privacy laws like GDPR, CCPA, and Right to be Forgotten laws are – even when they don’t apply to particular companies by the letter of the law as – heightening consumer and business expectations for protections and transparency and are often cited as the privacy standard in RFPs.
An RFP seeking digital commerce is likely to require a comprehensive set of policies, standards, and more to account for sensitive personal data. Understanding the security requirements that the RFP is likely to seek for sensitive data is a first step toward implementing the data protections and winning the business.
Previous: Understanding Enterprise RFP Requirements: Security
Next: Understanding Enterprise RFP Requirements: Security – Payment Processing