RSA Adaptive Authentication (Cloud) – What Constitutes Personal Information

Document created by RSA Product Team Employee on Feb 13, 2018Last modified by RSA Link Team on Jun 13, 2018
Version 8Show Document
  • View in full screen mode

Summary:

Adaptive Authentication (Cloud) requires customers to send personal information anonymized regardless of GDPR. No personal information can be sent open in the system unless it is performed as part of the authentication flow. The tables below provide examples of elements that are considered personal information and lists API fields with their definition as personal information.
Note
It is the customers' responsibility to inform RSA when implementing any changes that prevents sending specific PII data in clear text and to request from RSA to delete the historical data.

 

Examples of PII Elements

This table provides examples of elements that are considered personal information in Adaptive Authentication (Cloud) with a brief description about how the data is used in the application.

 

ElementDescription
User IDUser IDs should be sent anonymized. This data is used as part of the risk assessment process.
User login IDUser login IDs should be sent anonymized. This data is used as part of the RDP Trojan protection and for display in Case Management.
Payee informationPayee information should be sent anonymized. The payee account and routing code are used as part of the risk assessment process. All other information is used for display purposes in Case Management.
User nameUser names should be sent anonymized. Currently, this data is not used even for display purposes.
User address informationUser address should be sent anonymized. Currently, this data is not used even for display purposes.
Phone numbers

Phone numbers cannot be saved in Adaptive Authentication. Phone numbers should be sent as part of the authentication flow (Challenge Request) when using OOB phone and OOB SMS. Phone numbers should not be sent as part of createUser or updateUser requests.

NoteTo meet with GDPR requirements, RSA Adaptive Authentication (Cloud) saves only the last four digits of the phone numbers that are received in the authentication flow. As a result, after performing a Lookup User in the Case Management application and the results are displayed in the View Case page, the Challenge Details section only displays the last four digits of the end-user phone number in the Contact Details column.

Disclaimer: These GDPR changes are part of the Adaptive Authentication (Cloud) 13.1 upcoming patch release, which was released to UAT on May 6th and is scheduled to be released to Production on May 13th (US).

Mobile phone numbers

Mobile phone numbers sent as part of the mobile application implementation as part of the device identifier (called the Device Element):

  • Customers using the RSA Adaptive Authentication Mobile SDK must upgrade to SDK 3.10 or later. From SDK 3.10, RSA provides the ability to anonymize this information. Since mobile phone numbers are not hashed by default, customers must use the available configuration parameter to hash the collected mobile phone numbers. For more information on hashing the mobile phone numbers collected by the SDK, see the RSA Adaptive Authentication Mobile SDK Modules 3.10 – Mobile Data Collection Module documentation. In addition, from the RSA Adaptive Authentication (Cloud) May 13th patch, phone numbers that are collected by an SDK version earlier than 3.10, are not saved or used in Adaptive Authentication as these numbers are in clear text.
  • Customers not using the RSA Adaptive Authentication Mobile SDK Modules, it is their responsibility to send this information anonymized.

Note: This note is relevant for customers implementing either one of these use cases:

  1. Customers that have upgraded to SDK 3.10 and the phoneNumber parameter is hashed as required.
  2. Customers using an SDK version earlier than 3.10 and the phone numbers are not saved anymore in the Adaptive Authentication (Cloud) .
  3. Customers, who are not using SDK and start sending the data anonymized.
  • In any of the above scenarios, the system resets some CRE mobile profiles. This can lead to history data loss and cause risk score instabilities. In addition, device management and binding is impacted with history data loss, and every mobile device is considered a new device.
Custom Facts

Custom Facts should not contain personal information in clear text. Whenever Custom Facts contain any personal information, then they should be sent anonymized.

Note: When Custom Facts contain PII and are anonymized, ensure that the fact type of the applicable Custom Fact is set to string in the Policy Management application of the Back Office. This is configured in the Management Custom Facts page by setting the Fact Type column to String.

 

API Fields and Definitions as Personal Information

This table details the API fields and their definition as personal information.

Adaptive Authentication (Cloud) supports using a number of anonymization methods. For more information on the anonymization methods supported, see Understanding the Anonymization Requirements of Personally Identifiable Information (PII) in the API Reference Guide.

Note:

  • RSA recommends using SHA-256 as the anonymization method. In the table below, the fields marked as Anonymized in the Sent in API column have an asterisk (*) beside them to emphasize this point.
  • For more information on whether a different anonymization method can be used, contact RSA Customer Support.

 

InformationSent in API

deviceRequest. ipAddress

deviceRequest. userAgent

deviceRequest. devicePrint

As is

deviceRequest. deviceSpecific.mobile

  • hardwareId
  •  simId
  •  otherId
  •  phoneNumber

deviceRequest.deviceSpecific.mobile.mobileInfoJs

phoneNumber - hashed (sha256)

Performed through either of these methods:

  • SDK (3.10)
  • Customer when not using the SDK.
identificationData. usernameAnonymized*
identificationData. userOrgAs is
identificationData. userLoginNameAnonymized*
identificationData. userCountryAs is
identificationData. userLanguageAs is

userData.lastAccountOpenDate

userData.lastPhoneChangeDate

userData.lastEmailChangeDate

userData.totalAvailableBalance

userData.totalCreditLimit

userData.totalCreditsUsed
As is

userData.userAddress

  • userData.userAddress.addressLastUpdateDate
  • userData.userAddress.addressSetDate

userData.userNameData

  • userData.userNameData.nameLine

newUserData.userAddress

  • newUserData.userAddress.addressLastUpdateDate
  • newUserData.userAddress.addressSetDate

newUserData.userNameData

  • newUserData.userNameData.nameLine
As is

userData.userAddress

  • userData.userAddress.country
  • userData.userAddress.postalCode
  • userData.userAddress.region

userData.userNameData

  • userData.userNameData.firstName
  • userData.userNameData.lastName
  • userData.userNameData.middleName
  • userData.userNameData.prefix
  • userData.userNameData.suffix
  • userData.userNameData.title

newUserData.userAddress

  • newUserData.userAddress.country
  • newUserData.userAddress.postalCode
  • newUserData.userAddress.region

newUserData.userNameData

  • newUserData.userNameData.firstName
  • newUserData.userNameData.lastName
  • newUserData.userNameData.middleName
  • newUserData.userNameData.prefix
  • newUserData.userNameData.suffix
  • newUserData.userNameData.title
Anonymized*
Information about the user account - Non-personal information.

 

transactionData.myAccountData.accountBalance

transactionData.myAccountData.accountCreditsTurnover

transactionData.myAccountData.accountCreditsUsed

transactionData.myAccountData accountDailyLimit

transactionData.myAccountData.accountLastCreditGrantDate

transactionData.myAccountData.accountCategory

transactionData.myAccountData.accountCountry

transactionData.myAccountData.accountOpenedDate

transactionData.myAccountData.accountOwnershipType

transactionData.myAccountData.accountRelationType

transactionData.myAccountData.accountType

transactionData.myAccountData.clientDefinedAccountType

transactionData.myAccountData.referenceCode

As is

Information about the user account - Personal information.

 

transactionData.myAccountData.accountName

transactionData.myAccountData.accountNickName

transactionData.myAccountData.accountNumber

transactionData.myAccountData.internationalAccountNumber

transactionData.myAccountData.routingCode

transactionData.myAccountData.swiftCode

Anonymized*

Information about the payee account - Non-personal information.

 

transactionData.otherAccountData.accountBalance

transactionData.otherAccountData.accountCreditsTurnover

transactionData.otherAccountData.accountCreditsUsed

transactionData.otherAccountData accountDailyLimit

transactionData.otherAccountData.accountLastCreditGrantDate

transactionData.otherAccountData.accountCategory

transactionData.otherAccountData.accountCountry

transactionData.otherAccountData.accountOpenedDate

transactionData.otherAccountData.accountOwnershipType

transactionData.otherAccountData.accountRelationType

transactionData.otherAccountData.accountType

transactionData.otherAccountData.clientDefinedAccountType

transactionData.otherAccountData.referenceCode

As is

Information about the payee account - Personal information.

 

transactionData.otherAccountData.accountName

transactionData.otherAccountData.accountNickName

transactionData.otherAccountData.accountNumber

transactionData.otherAccountData.internationalAccountNumber

transactionData.otherAccountData.routingCode

transactionData.otherAccountData.swiftCode

Anonymized*

eventDataList.eventData.clientDefinedAttributeList.fact

If PII information is sent as part of this structure, the data must be anonymized*.

Phone information used for OOB phone authentication (Authentify).

Note:  The information is sent only as part of the authentication flow and should not be sent as part of createUser or updateUser requests. This ensures that you comply with the cloud license agreement as phone numbers cannot be saved in Adaptive Authentication.

 

credentialChallengeRequestList.oobPhoneChallengeRequest.payload.phoneInfo.areaCode

credentialChallengeRequestList.oobPhoneChallengeRequest.payload.phoneInfo.countryCode

credentialChallengeRequestList.oobPhoneChallengeRequest.payload.phoneInfo.phoneNumber

credentialChallengeRequestList.oobPhoneChallengeRequest.payload.phoneInfo.extension

 

As is

Phone information used for OOB SMS authentication (Authentify).

Note:  The information is sent only as part of the authentication flow and should not be sent as part of createUser or updateUser requests. This ensures that you comply with the cloud license agreement as phone numbers cannot be saved in Adaptive Authentication.

 

credentialChallengeRequestList.acspChallengeRequestData.payload.contactList.phoneNumber   

credentialChallengeRequestList.acspChallengeRequestData.payload.contactList.countryCode

credentialChallengeRequestList.acspChallengeRequestData.payload.contactList.areaCode

As is

Phone information used for OOB phone authentication (TeleSign).

Note:  The information is sent only as part of the authentication flow and should not be sent as part of createUser or updateUser requests. This ensures that you comply with the cloud license agreement as phone numbers cannot be saved in Adaptive Authentication.

 

credentialChallengeRequestList.acspChallengeRequestData.payload.phoneNo

credentialChallengeRequestList.acspChallengeRequestData.payload.extensions

As is

Phone information used for OOB SMS authentication (TeleSign).

Note: The information is sent only as part of the authentication flow and should not be sent as part of createUser or updateUser requests. This ensures that you comply with the cloud license agreement as phone numbers cannot be saved in Adaptive Authentication.

 

credentialChallengeRequestList.acspChallengeRequestData.payload.phoneNo

As is

SSN information used for KBA authentication (Lexis Nexis).

Note: The information is sent only as part of the authentication flow and should not be sent as part of createUser or updateUser requests. This ensures that you comply with the cloud license agreement as SSN information cannot be saved in Adaptive Authentication.

 

CredentialManagementRequestList.KBAManagementRequest.personInfo.ssnInfo

CredentialManagementRequestList.KBAManagementRequest.personInfo.nameInfo

CredentialManagementRequestList.KBAManagementRequest.personInfo.addressInfo

CredentialManagementRequestList.KBAManagementRequest.personInfo.birthdayInfo

CredentialManagementRequestList.KBAManagementRequest.personInfo.languageInfo

As is

Transaction Signing authentication - Non-personal information.

 

credentialChallengeRequestList.acspChallengeRequestData.payload.amount

credentialChallengeRequestList.acspChallengeRequestData.payload.estimatedDeliveryDate

credentialChallengeRequestList.acspChallengeRequestData.payload.recurringFrequency

credentialChallengeRequestList.acspChallengeRequestData.payload.schedule

credentialChallengeRequestList.acspChallengeRequestData.payload.transferMediumType

credentialChallengeRequestList.acspChallengeRequestData.payload.otherAccountData.executionSpeed

credentialChallengeRequestList.acspChallengeRequestData.payload.otherAccountData.otherAccountBankType

credentialChallengeRequestList.acspChallengeRequestData.payload.otherAccountData.otherAccountOwnershipType

credentialChallengeRequestList.acspChallengeRequestData.payload.otherAccountData.otherAccountType

As is

Transaction Signing authentication - Personal information.

 

credentialChallengeRequestList.acspChallengeRequestData.payload.otherAccountData.accountNumber
Last 4 digits of the account

 

 

For additional documentation, downloads, and more, visit the RSA Adaptive Authentication page on RSA Link.

 

EOPS Policy:

RSA has a defined End of Primary Support policy associated with all major versions. Please refer to the Product Version Life Cycle for additional details.

Attachments

    Outcomes