U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.


Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

White Paper (Draft)

[Project Description] Securing Non-Credit Card, Sensitive Consumer Data: Consumer Data Security for the Retail Sector

Date Published: May 9, 2016
Comments Due: June 3, 2016 (public comment period is CLOSED)
Email Questions to: consumer-nccoe@nist.gov


William Newhouse (NIST), Sarah Weeks (MITRE),


The National Cybersecurity Center of Excellence (NCCoE) has posted a draft Project Description on the topic of Securing Non-Credit Card, Sensitive Consumer Data.
Retailers easily gather sensitive data during typical business activities, such as date of birth, address, phone number, and email address, which can be used by various internal users and external partners to accelerate business operations and revenue. There has been an increase in the value of non-credit card, sensitive consumer data on the black market; however, there are relatively few regulations or standards specific to this topic in the consumer-facing/retail industry in the United States. As seen following high-profile data breaches in the healthcare sector, personally identifiable information (PII) is valued at up to 20 times more than credit card data, with a single credit card number sold at $1 and the average individual's PII sold at $20.
This project and its example solution will help secure non-credit card, sensitive consumer data through data masking and tokenization, coupled with fine-grained access control to improve the security of data transmitted and stored during commercial payment transactions, as well as data shared internally within a retail organization and externally with business partners.



e-commerce; data masking; tokenization; access control; ABAC; attribute based access control; PII; retail; consumer data
Control Families

Access Control; System and Communications Protection


Draft Project Description

Supplemental Material:
Submit Comments (other)
Project Homepage (other)

Document History:
05/09/16: White Paper (Draft)


Security and Privacy