NIST guide provides new standard for PII protection

The National Institute of Standards and Technology has released a new encryption standard that looks to improve safeguards for sensitive data, like credit card numbers or health information.

The National Institute of Standards and Technology has released a new encryption standard to improve safeguards for sensitive data, like credit card numbers and health information.

The guide, NIST SP 800-38G, creates standards for “format-preserving encryption,” which makes long strings of numbers indecipherable in both binary and decimal formats. Previously NIST standards were only applicable to binary data; it wasn’t technically feasible to encrypt decimals while also allowing computer programs to read a number in its original format.

Using this encryption method allows enterprises to encrypt sensitive data without completely overhauling their existing IT infrastructures. Heartland Payments Systems switched to format-preserving encryption after a 2009 hack, which saw more than 130 million credit and debit card numbers compromised.

While the encryption method will be primarily used to make encrypted credit card numbers unrecognizable from unencrypted ones, NIST believes another potential application is the “anonymizing” of personally identifiable information from databases, particularly those containing sensitive medical information.


“Databases of this sort are invaluable for researching the effects of different treatment methods on diseases, for example, but they often use social security numbers to identify individual patients and can contain other personal information,” NIST said in a release. “FPE encryption could handle this problem as well, though [guide author Miles] Dworkin stresses that in this case the approach would not necessarily be foolproof.”

“FPE can facilitate statistical research while maintaining individual privacy, but patient re-identification is sometimes possible through other means,” Dworkin said in a statement. “You might figure out who someone is if you look at their other characteristics, especially if the patient sample is small enough. So it’s still important to be careful who you entrust the data with in the first place.”

The standards for this form of encryption have been in the works for years, with NIST holding two public comment periods related to the guide over the past seven years. Numerous private companies helped developed the standard, as FPE has been used in the commercial sector for some time.

“As organizations and government agencies demand new data-centric security approaches that mitigate risks without stifling business strategies, vendors have rushed to market with a range of proprietary methods that are unproven and not peer-reviewed,” Mark Bower, global director of product management at Hewlett Packard Enterprise, said in a release. “The NIST standard is critical in setting the bar to ensure organizations are maintaining regulatory and audit compliance, as well as using proven methods to protect against a data breach.”

Robert Carr — the chairman and CEO of Heartland Payments Systems, which uses HPE’s technology — said in the release this type of encryption could help the government protect the vast troves of PII it handles on a daily basis.


“As one of the earliest victims of massive cybercrime affecting millions of cards, Heartland Payment Systems implemented cutting-edge technology to remediate the situation,” said Carr, who also serves on the National Infrastructure Advisory Council. “I hope the federal government incorporates this type of technology for protecting vast amounts of sensitive data in disparate systems.”

The full guide is available on NIST’s website.

Greg Otto

Written by Greg Otto

Greg Otto is Editor-in-Chief of CyberScoop, overseeing all editorial content for the website. Greg has led cybersecurity coverage that has won various awards, including accolades from the Society of Professional Journalists and the American Society of Business Publication Editors. Prior to joining Scoop News Group, Greg worked for the Washington Business Journal, U.S. News & World Report and WTOP Radio. He has a degree in broadcast journalism from Temple University.

Latest Podcasts