If you deal with credit card information, you must comply with the Payment Card Industry Data Security Standard (PCI DSS). This is the global data security standard adopted by the payment card brands for all entities that process, store or transmit cardholder data and/or sensitive authentication data.
The goal of PCI DSS is to protect customer credit card data from exposure to unauthorized people. This could be external hackers or trusted insiders, either doing something accidentally or deliberately.
Protecting sensitive data is a serious problem. About 860 million records with sensitive information have been breached between January 2005 and August 2015, according to PrivacyRights.org. This is only the information reported, so the actual numbers may be higher.
The PCI security standards define a series of requirements that merchants, banks and service providers need to meet to be considered compliant. They are in different categories and consist of measures related to people, process and technology. They are all intended to reach the ultimate goal, which is to protect the actual data.
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
5. Protect all systems against malware and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications
7. Restrict access to cardholder data by business need to know
8. Identify and authenticate access to system components
9. Restrict physical access to cardholder data
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
12. Maintain a policy that addresses information security for all personnel
There are three ongoing steps for adhering to PCI DSS:
Identifying all locations of cardholder data, taking an inventory of your IT assets and business processes for payment card processing and analyzing them for vulnerabilities that could expose cardholder data.
Organizations that maintain cardholder data may store it in a database or in unstructured documents on a file server, in a content management system, locally on a PC or even in a cloud provider. Discovering and classifying the unstructured data using pattern-based and/or keyword indexing batch scan processes across all PCs, repositories, local and cloud-based storage, is the first step for compliance.
Fixing identified vulnerabilities, securely removing any unnecessary cardholder data storage, and implementing secure business processes.
If you store credit card information in a database, you should encrypt the data and ensure you have a robust authentication and identity management system to limit access to authorized users. Unfortunately as is evidenced by numerous data breach headlines, many companies do not do this.
If you store the information in a file or download it from the database into a file, you should encrypt the file and apply dynamic, persistent security to it as soon as you download or create it. You can do this by detecting patterns in the file that indicate sensitive data or you could encrypt it automatically upon saving the file. Automating this process ensures that you don’t have to rely on people to decide the sensitivity of the data. This protection should go beyond allowing a user to access encrypted data with a password. Its requires a more robust method to ensure that the user is validated against a directory service and that all components in the chain are secure. Applying persistent controls to sensitive data ensures that you are always in control of the information regardless of location.
Documenting assessment and remediation details, and submitting compliance reports to the acquiring bank and card brands you do business with (or other requesting entity if you’re a service provider).
You also need a comprehensive audit trail of all actions related to accessing the sensitive data. This includes viewing, editing and printing the information, plus indicating who, when and where. It should also enable you to remotely revoke access to any files containing sensitive data even after the files are distributed. This provides a complete chain of custody of all data subject to the PCI security standards.
Being compliant with PCI DSS requires protection on the data itself. Insider threats and the escalation and sophistication of external threats is putting all organizations at greater risk. Ensure you block the path to your most valuable asset: credit card data.
Photo credit Matt Brown