PII, PHI, PCI Data Handling
Customers can send sensitive data through OIDG to target systems. OIDG supports a standard ACORD AML model and is aware of data that is sensitive in that model. Files holding this data are always PGP encrypted at rest. They are decrypted once pulled into memory. Sensitive data is encrypted before any processing occurs in OIDG.
| Data Type | Pre OIDG Submission | Transmission to OIDG | OIDG Inbound Processing | OIDG Outbound Processing |
|---|---|---|---|---|
| PII | PII fields are not encrypted before full payload PGP encryption. | Transmitted over HTTPS (TLS 1.2) or over sFTP | Payload decrypted but PII data immediately encrypted before transit. If stored on disk, files are encrypted using Oracle private key and later deleted. TDE enabled on DB so all data at rest is encrypted. | PII data is decrypted just before PGP encrypting the entire payload using a receiver specified key and is then sent to the receiver. |
| PHI | PHI fields are not encrypted before full payload PGP encryption. | Transmitted over HTTPS (TLS 1.2) or over sFTP | Payload decrypted but PHI data immediately encrypted before transit. If stored on disk, files are encrypted using Oracle private key and later deleted. TDE enabled on DB so all data at rest is encrypted. | PHI data is decrypted just before PGP encrypting the entire payload using a receiver specified key and is then sent to the receiver. |
| PCI | PCI fields are encrypted using non-Oracle specified keys before full payload PGP encryption | Transmitted over HTTPS (TLS 1.2) or over sFTP | Payload decrypted except PCI data since key is unknown to OIDX/G. If stored on disk, files are encrypted using Oracle private key and later deleted. Data is stored encrypted. | PCI data fields remain encrypted since key is unknown to OIDX/G. Entire payload is PGP encrypted using receiver specified key and sent to the receiver. |
Customers wanting to send PCI data through OIDG must do so without any OIDG knowledge of the data. It must be encrypted before coming into OIDG and decrypted after leaving OIDG with PGP keys unknown to OIDG. OIDG does not support storage of PGP keys or any other details about encrypted PCI data using its infrastructure.