Today’s payment technology advances offer consumers a seamless and convenient experience that they have grown to expect from businesses. The result is massive growth in e-commerce sales. Ekata, A Mastercard company, recently predicted an increase of +10.6% in U.S. e-commerce sales from November 2022 from through December 24, with e-commerce sales globally reaching $1.4T by 2026.
With that growth comes opportunity for hackers. (IBM’s 2023 Cost of a Data Breach Report). Between 2021 and 2025, online sellers stand to lose up to $206B worldwide to online payment fraud. (Ekata)
Of the breaches noted in IBM’s report, Personally Identifiable Information data (PII)– names, Social Security numbers, credit card numbers – was the costliest type of data stolen in 2023, coming in at $183 per record.
Common Threats and Best Practices to Securing Personal PII
Organizations that handle PII bear a profound responsibility. Having an infrastructure in place is crucial to protect PII that is collected and stored as well as how it is being used to ensure the confidentiality, integrity, and availability of this information. Failure to adequately protect PII not only exposes individuals to the risks of identity theft and fraud, but also poses substantial threats to an organization’s reputation.
There are several common threats that organizations and individuals face when it comes to safeguarding personal information. Data breaches, phishing attacks, third-party risks, malware and ransomware are some of the most common external threats organizations face. Inside the walls of an organization, outdated software and systems, weak authentication and access controls, and lack of data encryption increase the likelihood of sensitive data falling into the wrong hands.
Implementing best practices for PII security and privacy protection is essential for organizations to mitigate the risks of data breaches, identity theft, and other malicious activities. Some best practices include:
- Access Controls: Enforce strict controls for PII and implement multi-factor authentication
- Employee Training: Foster a culture that empowers employees to recognize and report potential security threats
- Data Minimization: Collect only necessary information, purging unnecessary PII through secure procedures
- Transparency: Clear communication to users on how PII is collected, processed, and stored
- Third-Party Risk Management: Vet and monitor the security practices of third-party vendors
- Regular Security Assessments: Conduct regular assessments to identify vulnerabilities in the infrastructure
- Incident Response Plan: Develop a comprehensive incident response plan to promptly address potential breaches
PII and PCI Compliance with Data Encryption
These practices are “defend the fort” strategies that can help an organization enhance their security posture. But what protects PII once a hacker breaches an organization’s system? Not surprisingly, PII data was the most breached record type in 2023, with 52% of all breaches involving some type of customer PII. (IBM)
Security experts believe that data encryption is vital for organizations to implement, protecting PII in both transit and at rest. When data is encrypted, even if an unauthorized person or entity gains access to it, they will not be able to read it. Data encryption also helps organizations to be meet compliance requirements with privacy regulations set by Europe’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) – ultimately demonstrating their commitment to ethical practices while preserving consumer trust.
Additionally, the protection of PII is exceptionally important for any organization that processes debit or credit card transactions, in fact, securing PII is a legal obligation. These organizations need to follow the standards and guidelines set by the Payment Card Industry Security Standards Council (PCI SSC).
The PCI SSC recommends the gold standard in data encryption – PCI-validated point-to-point encryption (P2PE). Utilizing PCI P2PE solutions secure data throughout its lifecycle, ensuring that data is rendered useless in the event of a data breach while keeping organizations PCI-compliant.
In a recent article, The Green Sheet discussed the role of PCI-certified point-to-point encryption (P2PE) with Brent Johnson, CISO at Bluefin.
“Clearly, the last few years have seen a significant uptick in ransomware attacks, which is now a multi-billion-dollar-a-year industry and likely not going anywhere for the foreseeable future. Sensitive data should always be encrypted or tokenized at rest to prevent data exposure from these types of attacks, and organizations must implement an effective backup strategy, preferably offline, to mitigate the effectiveness of this type of attack.“
Bluefin, the first PCI-validated provider of a P2PE solution, safeguards sensitive data from attacks every time your business gets paid, with PCI-validated P2PE solutions and ShieldConex® for vaultless tokenization of online PII, PHI, payment and ACH account data.
Learn how to secure PII today with Bluefin.