12

I wrote a pay app and as part of that, I have a HTML5 canvas where buyers can sign for credit card or goods received. I then ajax the base64 back to the server in a DB table (genius, I know). I also have a means of changing it to png for reporting and other things.

Do I need to treat the base64 image string as if it is PII and apply the same protocol? Even with a GUID as the name?

Zuzlx
  • 235
  • 2
  • 8
  • 2
    Why store it at all? Why not send to your payment processor and then discard? I'm assuming your payment vendor is treating it as combo of identity verification (i.e. password) + acceptance of terms (i.e. boolean flag). – amwinter Mar 24 '17 at 21:33
  • 2
    @amwinter we always need to retain the signature in case of charge back or dispute. But that really depends on what kind of business and transaction. If the customer is using the chip card (EMV), then signature won't be required. – Zuzlx Mar 24 '17 at 21:58

2 Answers2

21

PII by definition is

any information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context.

And to answer your question, image of signature is a sensitive PII as it can be used to identify a person. As base64 encoding only obfuscate the data, that also shall be considered sensitive and nearly as unsafe as having the cleartext counterpart. You should treat the data as a sensitive PII irrespective of the type of encoding and filename.

hax
  • 3,851
  • 1
  • 16
  • 34
  • Hmm -- almost anything can be used to identify an individual in a narrow context (birth year + zip code, for example, can deanonymize most people in many datasets). That doesn't make year of birth or zip code PII. – amwinter Mar 24 '17 at 21:28
  • 4
    @amwinter if those data can identify me personally, then by definition it is PII, no? – Sandy Chapman Mar 25 '17 at 00:10
  • 4
    @amwinter: Those are absolutely PII by any sane definition. – Kevin Mar 25 '17 at 00:36
  • 2
    @amwinter: Year of birth is PII. 1977 is of course not PII just as "Donald" is not PII by itself. But when associated with a set of data that relates to a person such as user account or list of presidential candidate then it becomes PII. So 1977 is not PII but year of birth is – slebetman Mar 25 '17 at 02:59
  • sorry -- I was totally off base. zip code is legally PII in california. you guys are right. – amwinter Mar 25 '17 at 17:55
6

Yes, it is.

Some people have well-readable signatures (sometimes even OCR-readable), so an image of the signature is equivalent to the full name of the person who made it.

People who have unreadable signatures can be uniquely identified by cross-referencing with signatures from a different database. There are algorithms which are able to compare signature scans with pretty good accuracy.

Even with a GUID as the name?

I am not sure what you mean with that, but if you mean "create a GUID to uniquely identify each signature-image and store that", then that GUID without the image would not be PII, because you can not tell from the GUID how the signature looks.

Philipp
  • 48,867
  • 8
  • 127
  • 157
  • @phillipp Sorry I wasn't clear on that. I simply meant that I'm not saving the file name as JohnDoe.png but a GUID.png.since I'm saving them by the table's primary key which is a GUID. – Zuzlx Mar 25 '17 at 06:48