Personally Identifiable Information (PII) is a category of sensitive information that is associated with an individual person, such as an customer. PII should be accessed only on a strictly need-to-know basis and handled and stored with care.
Protecting sensitive data is a shared responsibility. You are responsible for ensuring that your use of permitted services complies with laws, regulations, and policies where applicable.
PII is information that can be used to uniquely identify, contact, or locate a single person. Personal information that is “de-identified” (maintained in a way that does not allow association with a specific person) is not considered sensitive.
Amazon recently updated its MWS API Data Protection policies. These updates are security requirements that limit access to personally identifiable information (PII) for Amazon buyers. These updates affect all service providers that use the MWS API.
What Amazon Is Changing:
Amazon’s new security requirements now limit access to buyers’ personally identifiable information (PII). Access to information such as buyer name, recipient name, and shipping address are now only granted on a must-have basis, primarily for tax and merchant-fulfilled shipping purposes.
Additional Security Requirements Specific to Personally Identifiable Information
The following additional Security Requirements must be met for all Personally Identifiable Information (“PII”). PII is granted to MWS developers for select tax and merchant fulfilled shipping purposes, on a must-have basis. If a Marketplace API contains PII, or PII is combined with non-PII, then the entire data store must comply with the following requirements:
- Developers/application will retain customer identifiable data like customer name, address etc hat are required for Order Fulfillment must only be store for upto 30 days and it must be deleted after that.
- Application operator must be provided with fine-grained access to the application on “need-to-know” basis. No access to customer data shall be provided to operator if he is not required to fulfill orders.
- All the API calls to Amazon MWS must be encrypted using industry best practice standards (e.g. using either AES-128, AES-256, or RSA with 2048-bit key size (or higher) and must be logged and should not contain any PII data. A log system must be used to monitor access and authorization, intrusion attempts, and configuration changes. Logs will be stored for at least 90 days.
- Data Protection – Customer data must not be transferred outside the company and to be not be distributed to any other party and must not store PII in removable media (e.g., USB) or unsecured public cloud applications (e.g., public links made available through Google Drive) .
- Periodic audit of the system to prevent data leakage.
If your application is integrated with Amazon MWS and want to know more about the Amazon Data Protection Policy or want our consultation for implementing the Amazon DPP policy, feel free to contact us.