RSA Adaptive Authentication (Cloud) – What Constitutes Personal Information

Document created by RSA Product Team Employee on Feb 13, 2018Last modified by RSA Product Team Employee on Apr 18, 2018
Version 3Show Document
  • View in full screen mode

Summary:

Adaptive Authentication (Cloud) requires customers to send personal information anonymized regardless of GDPR. No personal information can be sent open in the system unless it is performed as part of the authentication flow. The tables below provide examples of elements that are considered personal information and lists API fields with their definition as personal information.

Examples of PII Elements

This table provides examples of elements that are considered personal information in Adaptive Authentication (Cloud) with a brief description about how the data is used in the application.

 

ElementDescription
User IDUser IDs should be sent anonymized. This data is used as part of the risk assessment process.
User login IDUser login IDs should be sent anonymized. This data is used as part of the RDP Trojan protection and for display in Case Management.
Payee informationPayee information should be sent anonymized. The payee account and routing code are used as part of the risk assessment process. All other information is used for display purposes in Case Management.
User nameUser names should be sent anonymized. Currently, this data is not used even for display purposes.
User address informationUser address should be sent anonymized. Currently, this data is not used even for display purposes.
Phone numbersPhone numbers cannot be saved in Adaptive Authentication. Phone numbers should be sent as part of the authentication flow (Challenge Request) when using OOB phone and OOB SMS.
Mobile phone numbers

Mobile phone numbers sent as part of the mobile application implementation:

  •  Customers using the RSA Adaptive Authentication Mobile SDK must upgrade to SDK 3.10 or later. From SDK 3.10, RSA provides the ability to anonymize this information.
  • Customers not using the RSA Adaptive Authentication Mobile SDK Modules, it is their responsibility to send this information anonymized. 
Custom Facts

Custom Facts should not contain personal information in clear text. Whenever Custom Facts contain any personal information, then they should be sent anonymized.

 

API Fields and Definitions as Personal Information

This table details the API fields and their definition as personal information.

 

InformationSent in API

deviceRequest. ipAddress

deviceRequest. userAgent

deviceRequest. devicePrint

As is

deviceRequest. deviceSpecific.mobile

  • hardwareId
  •  simId
  •  otherId
  •  phoneNumber

phoneNumber - hashed (sha256)

Performed through either of these methods:

  • SDK (3.10)
  • Customer when not using the SDK.
identificationData. usernameAnonymized
identificationData. userOrgAs is
identificationData. userLoginNameAnonymized
identificationData. userCountryAs is
identificationData. userLanguageAs is

userData.lastAccountOpenDate

userData.lastPhoneChangeDate

userData.lastEmailChangeDate

userData.totalAvailableBalance

userData.totalCreditLimit

userData.totalCreditsUsed
As is

userData.userAddress

userData.userNameData

newUserData.userAddress

newUserData.userNameData
Anonymized
Information about the user account - Non-personal information.

 

transactionData.myAccountData.accountBalance

transactionData.myAccountData.accountCreditsTurnover

transactionData.myAccountData.accountCreditsUsed

transactionData.myAccountData accountDailyLimit

transactionData.myAccountData.accountLastCreditGrantDate

transactionData.myAccountData.accountCategory

transactionData.myAccountData.accountCountry

transactionData.myAccountData.accountOpenedDate

transactionData.myAccountData.accountOwnershipType

transactionData.myAccountData.accountRelationType

transactionData.myAccountData.accountType

transactionData.myAccountData.clientDefinedAccountType

transactionData.myAccountData.referenceCode

As is

Information about the user account - Personal information.

 

transactionData.myAccountData.accountName

transactionData.myAccountData.accountNickName

transactionData.myAccountData.accountNumber

transactionData.myAccountData.internationalAccountNumber

transactionData.myAccountData.routingCode

transactionData.myAccountData.swiftCode

Anonymized

Information about the payee account - Non-personal information.

 

transactionData.otherAccountData.accountBalance

transactionData.otherAccountData.accountCreditsTurnover

transactionData.otherAccountData.accountCreditsUsed

transactionData.otherAccountData accountDailyLimit

transactionData.otherAccountData.accountLastCreditGrantDate

transactionData.otherAccountData.accountCategory

transactionData.otherAccountData.accountCountry

transactionData.otherAccountData.accountOpenedDate

transactionData.otherAccountData.accountOwnershipType

transactionData.otherAccountData.accountRelationType

transactionData.otherAccountData.accountType

transactionData.otherAccountData.clientDefinedAccountType

transactionData.otherAccountData.referenceCode

As is

Information about the payee account - Personal information.

 

transactionData.otherAccountData.accountName

transactionData.otherAccountData.accountNickName

transactionData.otherAccountData.accountNumber

transactionData.otherAccountData.internationalAccountNumber

transactionData.otherAccountData.routingCode

transactionData.otherAccountData.swiftCode

Anonymized

eventDataList.eventData.clientDefinedAttributeList.fact

If PII information is sent as part of this structure, the data must be anonymized.

Phone information used for OOB phone authentication (Authentify).

Note:  The information is sent only as part of the authentication flow and should not be sent as part of createUser or updateUser requests.

 

credentialChallengeRequestList.oobPhoneChallengeRequest.payload.phoneInfo.areaCode

credentialChallengeRequestList.oobPhoneChallengeRequest.payload.phoneInfo.countryCode

credentialChallengeRequestList.oobPhoneChallengeRequest.payload.phoneInfo.phoneNumber

credentialChallengeRequestList.oobPhoneChallengeRequest.payload.phoneInfo.extension

 

As is

Phone information used for OOB SMS authentication (Authentify).

Note:  The information is sent only as part of the authentication flow and should not be sent as part of createUser or updateUser requests.

 

credentialChallengeRequestList.acspChallengeRequestData.payload.contactList.phoneNumber   

credentialChallengeRequestList.acspChallengeRequestData.payload.contactList.countryCode

credentialChallengeRequestList.acspChallengeRequestData.payload.contactList.areaCode

As is

Phone information used for OOB phone authentication (TeleSign).

Note:  The information is sent only as part of the authentication flow and should not be sent as part of createUser or updateUser requests.

 

credentialChallengeRequestList.acspChallengeRequestData.payload.phoneNo

credentialChallengeRequestList.acspChallengeRequestData.payload.extensions

As is

Phone information used for OOB SMS authentication (TeleSign).

Note: The information is sent only as part of the authentication flow and should not be sent as part of createUser or updateUser requests.

 

credentialChallengeRequestList.acspChallengeRequestData.payload.phoneNo

As is

SSN information used for KBA authentication (Lexis Nexis).

Note: The information is sent only as part of the authentication flow and should not be sent as part of createUser or updateUser requests.

 

CredentialManagementRequestList.KBAManagementRequest.personInfo.ssnInfo

CredentialManagementRequestList.KBAManagementRequest.personInfo.nameInfo

CredentialManagementRequestList.KBAManagementRequest.personInfo.addressInfo

CredentialManagementRequestList.KBAManagementRequest.personInfo.birthdayInfo

CredentialManagementRequestList.KBAManagementRequest.personInfo.languageInfo

As is

Transaction Signing authentication - Non-personal information.

 

credentialChallengeRequestList.acspChallengeRequestData.payload.amount

credentialChallengeRequestList.acspChallengeRequestData.payload.estimatedDeliveryDate

credentialChallengeRequestList.acspChallengeRequestData.payload.recurringFrequency

credentialChallengeRequestList.acspChallengeRequestData.payload.schedule

credentialChallengeRequestList.acspChallengeRequestData.payload.transferMediumType

credentialChallengeRequestList.acspChallengeRequestData.payload.otherAccountData.executionSpeed

credentialChallengeRequestList.acspChallengeRequestData.payload.otherAccountData.otherAccountBankType

credentialChallengeRequestList.acspChallengeRequestData.payload.otherAccountData.otherAccountOwnershipType

credentialChallengeRequestList.acspChallengeRequestData.payload.otherAccountData.otherAccountType

As is

Transaction Signing authentication - Personal information.

 

credentialChallengeRequestList.acspChallengeRequestData.payload.otherAccountData.accountNumber
Last 4 digits of the account

 

 

For additional documentation, downloads, and more, visit the RSA Adaptive Authentication page on RSA Link.

 

EOPS Policy:

RSA has a defined End of Primary Support policy associated with all major versions. Please refer to the Product Version Life Cycle for additional details.

Attachments

    Outcomes