RSA Adaptive Authentication (Hosted) – What Constitutes Personal Information

Document created by RSA Product Team Employee on Feb 13, 2018Last modified by RSA Link Team on Jun 13, 2018
Version 7Show Document
  • View in full screen mode

Summary:

As an end of life service, Adaptive Authentication (Hosted) is not GDPR ready. Therefore, customers who send personal information are asked to change their implementation and anonymize any personal information sent to Adaptive Authentication (Hosted) so that they will meet their GDPR obligations. The tables below provide examples of elements that are considered personal information and lists API fields with their definition as personal information.

NoteIt is the customers' responsibility to inform RSA when implementing any changes that prevents sending specific PII data in clear text and to request from RSA to delete the historical data.

 

Examples of PII Elements

This table provides examples of elements that are considered personal information in Adaptive Authentication (Hosted) with a brief description about how the data is used in the application.

 

ElementDescription
User IDUser IDs should be sent anonymized. This data is used as part of the risk assessment process.
User login IDUser login IDs should be sent anonymized.
Payee informationPayee information should be sent anonymized. The payee account and routing code are used as part of the risk assessment process. All other information is used for display purposes in Case Management.
User nameUser names should be sent anonymized. Currently, this data is used for display purposes in the Case Management and Customer Service applications.
User address informationUser address should be sent anonymized. Currently, this data is saved in the database, but is not used for display purposes or risk assessment.
Phone numbers

Phone numbers currently saved in Adaptive Authentication (Hosted) are used for these tasks:

  • OOB phone and/or SMS authentication.
  • Display in the Case Management and Customer Service applications.

Complete phone numbers should not be saved in Adaptive Authentication. Phone numbers should be sent as part of the authentication flow (Challenge Request) when using OOB phone and OOB SMS. Phone numbers should not be sent as part of updateUser requests.

RSA Adaptive Authentication (Hosted) saves only the last four digits of phone numbers that are received in the authentication flow. As a result, the Case Management application, Authentication Method Details section, only displays the last four digits of the end-user phone number.

Mobile phone numbers

Mobile phone numbers sent as part of the mobile application implementation as part of the device identifiers (called the Device Element):

  • Customers using the RSA Adaptive Authentication Mobile SDK must upgrade to SDK 3.10 or later. From SDK 3.10, RSA provides the ability to anonymize this information. Since mobile phone numbers are not hashed by default, customers must use the available configuration parameter to hash the collected mobile phone numbers. For more information on hashing the mobile phone numbers collected by the SDK, see the RSA Adaptive Authentication Mobile SDK Modules 3.10 – Mobile Data Collection Module documentation.
  • Customers not using the RSA Adaptive Authentication Mobile SDK Modules, it is their responsibility to send this information anonymized.

Note: This note is relevant for customers implementing either one of these use cases:

  1. Customers that have upgraded to SDK 3.10 and the phoneNumber parameter is hashed as required.
  2. Customers who are not using SDK and start sending the data anonymized.
  • In any of the above scenarios, the system resets some CRE mobile profiles. This can lead to history data loss and cause risk score instabilities.
Custom Facts

Custom Facts should not contain personal information in clear text. Whenever Custom Facts contain any personal information, then they should be sent anonymized.

Note: When Custom Facts contain PII and are anonymized, ensure that the fact type of the applicable Custom Fact is set to string in the Policy Management application of the Back Office. This is configured in the Management Custom Facts page by setting the Fact Type column to String.

 

API Fields and Definitions as Personal Information

This table details the API fields and their definition as personal information.

 

InformationSent in API

deviceRequest. ipAddress

deviceRequest. userAgent

deviceRequest. devicePrint

As is

deviceRequest. deviceSpecific.mobile

  • hardwareId
  •  simId
  •  otherId
  •  phoneNumber

deviceRequest.deviceSpecific.mobile.mobileInfoJs

phoneNumber - hashed (sha256)

Performed through either of these methods:

  • SDK (3.10)
  • Customer when not using SDK
identificationData. usernameAnonymized
identificationData. userOrgAs is
identificationData. userLoginNameAnonymized
identificationData. userCountryAs is
identificationData. userLanguageAs is

userData.lastAccountOpenDate

userData.lastPhoneChangeDate

userData.lastEmailChangeDate

userData.totalAvailableBalance

userData.totalCreditLimit

userData.totalCreditsUsed

As is

userData.userAddress

  • userData.userAddress.addressLastUpdateDate
  • userData.userAddress.addressSetDate

newUserData.userAddress

  • newUserData.userAddress.addressLastUpdateDate
  • newUserData.userAddress.addressSetDate
As is

userData.userAddress

  • userData.userAddress.country
  • userData.userAddress.postalCode
  • userData.userAddress.region

userData.userNameData

  • userData.userNameData.firstName
  • userData.userNameData.lastName
  • userData.userNameData.middleName
  • userData.userNameData.prefix
  • userData.userNameData.suffix
  • userData.userNameData.title
  • userData.userNameData.nameLine

newUserData.userAddress

  • newUserData.userAddress.country
  • newUserData.userAddress.postalCode
  • newUserData.userAddress.region

newUserData.userNameData

  • newUserData.userNameData.firstName
  • newUserData.userNameData.lastName
  • newUserData.userNameData.middleName
  • newUserData.userNameData.prefix
  • newUserData.userNameData.suffix
  • newUserData.userNameData.title
  • newUserData.userNameData.nameLine
Anonymized
Information about the user account - Non-personal information.

 

transactionData.myAccountData.accountBalance

transactionData.myAccountData.accountCreditsTurnover

transactionData.myAccountData.accountCreditsUsed

transactionData.myAccountData accountDailyLimit

transactionData.myAccountData.accountLastCreditGrantDate

transactionData.myAccountData.accountCategory

transactionData.myAccountData.accountCountry

transactionData.myAccountData.accountOpenedDate

transactionData.myAccountData.accountOwnershipType

transactionData.myAccountData.accountRelationType

transactionData.myAccountData.accountType

transactionData.myAccountData.clientDefinedAccountType

transactionData.myAccountData.referenceCode

As is

Information about the user account - Personal information.

 

transactionData.myAccountData.accountName

transactionData.myAccountData.accountNickName

transactionData.myAccountData.accountNumber

transactionData.myAccountData.internationalAccountNumber

transactionData.myAccountData.routingCode

transactionData.myAccountData.swiftCode

Anonymized

Information about the payee account - Non-personal information.

 

transactionData.otherAccountData.accountBalance

transactionData.otherAccountData.accountCreditsTurnover

transactionData.otherAccountData.accountCreditsUsed

transactionData.otherAccountData accountDailyLimit

transactionData.otherAccountData.accountLastCreditGrantDate

transactionData.otherAccountData.accountCategory

transactionData.otherAccountData.accountCountry

transactionData.otherAccountData.accountOpenedDate

transactionData.otherAccountData.accountOwnershipType

transactionData.otherAccountData.accountRelationType

transactionData.otherAccountData.accountType

transactionData.otherAccountData.clientDefinedAccountType

transactionData.otherAccountData.referenceCode

As is

Information about the payee account - Personal information.

 

transactionData.otherAccountData.accountName

transactionData.otherAccountData.accountNickName

transactionData.otherAccountData.accountNumber

transactionData.otherAccountData.internationalAccountNumber

transactionData.otherAccountData.routingCode

transactionData.otherAccountData.swiftCode

Anonymized

eventDataList.eventData.clientDefinedAttributeList.fact

If PII information is sent as part of this structure, the data must be anonymized.

Phone information used for OOB phone authentication.

Note: The information is sent only as part of the authentication flow and should not be sent as part of the updateUser request.

 

credentialChallengeRequestList.oobPhoneChallengeRequest.payload.phoneInfo.countryCode

credentialChallengeRequestList.oobPhoneChallengeRequest.payload.phoneInfo.areaCode

credentialChallengeRequestList.oobPhoneChallengeRequest.payload.phoneInfo.phoneNumber

credentialChallengeRequestList.oobPhoneChallengeRequest.payload.phoneInfo.extension

As is

Phone information used for OOB SMS authentication.

Note: The information is sent only as part of the authentication flow and should not be sent as part of the updateUser request.

 

credentialChallengeRequestList.oobPhoneChallengeRequest.payload.phoneInfo.countryCode

credentialChallengeRequestList.oobPhoneChallengeRequest.payload.phoneInfo.areaCode

credentialChallengeRequestList.oobPhoneChallengeRequest.payload.phoneInfo.phoneNumber

As is

SSN information used for KBA authentication (Lexis Nexis).

 

credentialChallengeRequestList.kbaQuestionChallengeRequest.payload.identificationNumber.identificationType

credentialChallengeRequestList.kbaQuestionChallengeRequest.payload.identificationNumber.identificationValue

credentialChallengeRequestList.kbaQuestionChallengeRequest.payload.identificationNumber.dateOfBirth

As is

 

 

For additional documentation, downloads, and more, visit the RSA Adaptive Authentication page on RSA Link.

 

EOPS Policy:

RSA has a defined End of Primary Support policy associated with all major versions. Please refer to the Product Version Life Cycle for additional details.

Attachments

    Outcomes