PCI DSS Compliance - The data discovery route to successful strategy
The Payment Card Industry Data Security Standard (PCI DSS) was established to create a secure environment in which consumers can engage in protective e-commerce, reducing data risk from increasing threats of internet shopping and potentially unsafe wireless technologies. By Gerard Curtin
Essentially, PCI DSS is a set of guidelines, measures, and controls that have been developed to help merchants implement security controls to ensure safe credit card usage and secure information.
It theory, the PCI process may appear as a clear-cut route to compliance, but for organizations starting out on the PCI DSS path the reality is often daunting as it is commonly the case that they struggle to identify their sensitive data that needs protection. Data protection solutions often fail to recognize and understand where a company’s data resides and the classification of data that needs to be considered sensitive.
PCI DSS entities collect credit cardholder data from multiple sources (e-mail, web forms, web services) but organisations are often unable to demonstrate to security auditors that appropriate security measures are in place to protect data throughout its lifecycle ie. how information is collected and where the data resides.
Discovering where credit card data is stored is the first step towards a secure data protection programme and a successful PCI DSS strategy. The data discovery issue is a significant problem especially with regards to credit card holder data for PCI DSS compliance which states that organizations need to protect cardholder data in the in-scope cardholder data environment.
The first step for any organization is to map out where cardholder data resides on their systems. In order to identify where CHD (card holder data) is, an organisation’s ecosystem needs to be mapped out. How many business units are involved in either processing, transmitting or storing CHD? What third parties are involved in the process, if any, and if so, what CHD can they see and how? Where is CHD located on your systems? The process should fulfill:
• documenting your ecosystem
• documenting CHD data flow
• demonstrate full control over where data is
• continuous monitoring of data within the environment
PCI regulations clearly define the data concerned within the PCI DSS requirements, but it is too often the case that organizations undertaking the compliance process will conduct a much broader Data Protection/DLP program before realizing that their most important requirement is clear visibility of their data, delivered through manageable reporting with actionable data results.
Gerard Curtin is CEO of Irish software security solutions company PixAlert and is a leading security specialist in network data discovery and image detection management.