RSA Adaptive Authentication (Hosted) – What Constitutes Personal Information

Document created by RSA Product Team Employee on Feb 13, 2018Last modified by RSA Product Team Employee on Mar 27, 2018
Version 3Show Document
  • View in full screen mode

Summary:

Adaptive Authentication (Hosted) is not GDPR compliant, therefore customers who send personal information are asked to change their implementation and anonymize any personal information sent to Adaptive Authentication (Hosted).

 

The following are examples of elements that are considered personal information in Adaptive Authentication (Hosted):

  • User ID. Should be sent anonymized. This data is used as part of the risk assessment process.
  • User login ID. Should be sent anonymized.
  • Payee information. Should be sent anonymized. The payee account and routing code are used as part of the risk assessment process, all other information is used for display purposes in Case Management.
  • User name. Should be sent anonymized. Currently used for display in the Case Management and Customer Service applications.
  • User address information – Should be sent anonymized. Currently saved in the database, but not used for display or risk assessment.
  • Phone number. Phone numbers are currently saved in Adaptive Authentication (Hosted) to be used for  OOB phone and/or SMS authentication, and for display in the Case Management and Customer Service applications. Phone numbers cannot be saved in Adaptive Authentication, and should be sent as part of the authentication flow (Challenge Request) when using OOB phone and OOB SMS.
  • Mobile phone number sent as part of the mobile application implementation:
    • Customers who use the RSA Adaptive Authentication Mobile SDK must upgrade to SDK 3.10 or later. From SDK 3.10, RSA provides the ability to anonymize this information
    • Customers who do not use the RSA Adaptive Authentication Mobile SDK Modules. It is the customer responsibility to send this information anonymized.

 

The following table displays API fields and their definition as personal information:

InformationSent in API

deviceRequest. ipAddress

deviceRequest. userAgent

deviceRequest. devicePrint

As is

deviceRequest. deviceSpecific.mobile

  • hardwareId
  •  simId
  •  otherId
  •  phoneNumber

deviceRequest.deviceSpecific.mobile.mobileInfoJs

phoneNumber - hashed (sha256)

Done either via the SDK (3.10) or by customer when not using SDK
identificationData. usernameAnonymized
identificationData. userOrgAs is
identificationData. userLoginNameanonymized
identificationData. userCountryAs is
identificationData. userLanguageAs is

userData.lastAccountOpenDate

userData.lastPhoneChangeDate

userData.lastEmailChangeDate

userData.totalAvailableBalance

userData.totalCreditLimit

userData.totalCreditsUsed

As is

userData.userAddress

userData.userNameData

newUserData.userAddress

newUserData.userNameData

Anonymized
Information about the user account - Non-personal information.

 

transactionData.myAccountData.accountBalance

transactionData.myAccountData.accountCreditsTurnover

transactionData.myAccountData.accountCreditsUsed

transactionData.myAccountData accountDailyLimit

transactionData.myAccountData.accountLastCreditGrantDate

transactionData.myAccountData.accountCategory

transactionData.myAccountData.accountCountry

transactionData.myAccountData.accountOpenedDate

transactionData.myAccountData.accountOwnershipType

transactionData.myAccountData.accountRelationType

transactionData.myAccountData.accountType

transactionData.myAccountData.clientDefinedAccountType

transactionData.myAccountData.referenceCode

As is

Information about the user account - Personal information.

 

transactionData.myAccountData.accountName

transactionData.myAccountData.accountNickName

transactionData.myAccountData.accountNumber

transactionData.myAccountData.internationalAccountNumber

transactionData.myAccountData.routingCode

transactionData.myAccountData.swiftCode

Anonymized

Information about the payee account - Non-personal information.

 

transactionData.otherAccountData.accountBalance

transactionData.otherAccountData.accountCreditsTurnover

transactionData.otherAccountData.accountCreditsUsed

transactionData.otherAccountData accountDailyLimit

transactionData.otherAccountData.accountLastCreditGrantDate

transactionData.otherAccountData.accountCategory

transactionData.otherAccountData.accountCountry

transactionData.otherAccountData.accountOpenedDate

transactionData.otherAccountData.accountOwnershipType

transactionData.otherAccountData.accountRelationType

transactionData.otherAccountData.accountType

transactionData.otherAccountData.clientDefinedAccountType

transactionData.otherAccountData.referenceCode

As is

Information about the payee account - Personal information.

 

transactionData.otherAccountData.accountName

transactionData.otherAccountData.accountNickName

transactionData.otherAccountData.accountNumber

transactionData.otherAccountData.internationalAccountNumber

transactionData.otherAccountData.routingCode

transactionData.otherAccountData.swiftCode

Anonymized

eventDataList.eventData.clientDefinedAttributeList.fact

If PII information is sent as part of this structure, the data must be anonymized.

Phone information used for OOB phone authentication.

Note: The information is sent only as part of the authentication flow and should not be sent as part of the updateUser request.

 

credentialChallengeRequestList.oobPhoneChallengeRequest.payload.phoneInfo.countryCode

credentialChallengeRequestList.oobPhoneChallengeRequest.payload.phoneInfo.areaCode

credentialChallengeRequestList.oobPhoneChallengeRequest.payload.phoneInfo.phoneNumber

credentialChallengeRequestList.oobPhoneChallengeRequest.payload.phoneInfo.extension

As is

Phone information used for OOB SMS authentication.

Note: The information is sent only as part of the authentication flow and should not be sent as part of the updateUser request.

 

credentialChallengeRequestList.oobPhoneChallengeRequest.payload.phoneInfo.countryCode

credentialChallengeRequestList.oobPhoneChallengeRequest.payload.phoneInfo.areaCode

credentialChallengeRequestList.oobPhoneChallengeRequest.payload.phoneInfo.phoneNumber

As is

SSN information used for KBA authentication (Lexis Nexis).

 

credentialChallengeRequestList.kbaQuestionChallengeRequest.payload.identificationNumber.identificationType

credentialChallengeRequestList.kbaQuestionChallengeRequest.payload.identificationNumber.identificationValue

credentialChallengeRequestList.kbaQuestionChallengeRequest.payload.identificationNumber.dateOfBirth

As is

 

 

For additional documentation, downloads, and more, visit the RSA Adaptive Authentication page on RSA Link.

 

EOPS Policy:

RSA has a defined End of Primary Support policy associated with all major versions. Please refer to the Product Version Life Cycle for additional details.

Attachments

    Outcomes