Payment Card Information Data Security Standards (PCI DSS) is an extensive guideline developed by eminent card issuing institutions such as AMEX, MasterCard, JCB and Visa that comprises a set of security measures that detail how sensitive card information should be used, stored and handled in transmission.
With millions of credit and debit card transactions taking place daily, it is of paramount importance that organizations, especially those part of the E-commerce industry, take steps to ensure adequate protection of cardholder data. While PCI DSS isn't legally binding, following them can significantly elevate an organization's security posture and prevent the loss of critical information.
Endpoint DLP Plus can aid in the endeavor to achieve PCI DSS compliance by simplifying the implementation of security strategies that prevent the loss of cardholder information while simultaneously mitigating insider threats. By automating the process of data discovery, classification and deployment of data leakage prevention policies using Endpoint DLP Plus, administrators can avert data disclosure and yield precise control over the usage and transference of all cardholder content.
As per stipulation number three in the PCI DSS guide, in order to adequately safeguard sensitive data pertaining to card payment details, it first has to be promptly identified.
With Endpoint DLP Plus data discovery capabilities, periodic scans will be automatically carried out to ensure that as and when new data is added, it can be quickly sifted for card holder information and labelled as sensitive. Additionally, both structured and unstructured data can be scrutinized and filtered to find sensitive items. Pinpointing financial data from the copious amounts of other information within an organization can grant a high degree of data awareness. Additionally, both context and content based data discovery is supported such that, if certain files contain payment card information, they can by default be labelled sensitive and also if a file originates from a storage or processing application that primarily deals with financial data, then those files can also be delegated as sensitive and prioritized. This aids IT technicians in determining exactly which files need to meet PCI DSS security standards so that they can concentrate their security efforts and allocate resources accordingly.
Distinguishing the type of sensitive data can also aid in understanding the type of security measures needed to protect it. In order to find the different kinds of files that need to be protected by enforcing PCI DSS mandates, the data classification module in Endpoint DLP Plus provides numerous pre-defined templates that can be leveraged to find all files containing credit card information. These templates include but are not limited to, all of the major card issuing companies such as American Express, Visa, MasterCard, Discover, Maestro and JCB. Along with credit card numbers, templates are also provided for locating International Bank Account Numbers (IBAN). While IBAN doesn't fall directly fall under PCI DSS, the regulations can still apply if an IBAN is also a Permanent Account Number (PAN). While pre-defined templates cover credit card numbers, files can also be found using other details such as names of cardholders, by creating custom templates by using mechanisms like keyword search. For added precaution and as per organizational requirements, administrators can easily utilize a combination of the available templates to find and classify all sensitive financial data covered by PCI DSS.
Requirement seven of the PCI DSS guidelines indicates that access to sensitive cardholder information must be controlled and delegated on an ad-hoc basis to authorized users only.
The role-based access control capability in Endpoint DLP Plus allows admins to determine based on task, department or project, which users can get access to which files. With respect to cardholder information, access can then be given only to those whose tasks or role requires them to handle such data.
While role-based access control is user based, data containerization is a strategy that can be enacted for application-based access control. In Endpoint DLP Plus, all files containing payment card information can be confined to secure applications that are sanctioned by the administrator, for storing or processing financial data such that all files created in or transferred from these applications will be declared as sensitive. Anytime a user attempts to transfer sensitive financial data from a secured enterprise-grade application to an insecure application such as a third-party messaging or social media app, this action will be immediately stopped.
Access to cardholder data can also be restricted across various mediums including web domains. Using Endpoint DLP Plus, transfer of information to cloud services can be prevented. Email security can also be configured to prohibit users from sending PCI details to unverified email domains. These cybersecurity strategies can help meet PCI standards by minimizing the opportunity for users to deliberately or unknowingly share sensitive data via the web or expose critical information to unknown malicious actors.
The Device control feature within Endpoint DLP Plus also enables admins to control physical access to data. Users who are not trusted or given express permission will be prevented from copying cardholder information to peripheral devices such as USB flash drives. If users attempt to print physical copies of classified files instead, this action, too can be blocked.
Endpoint DLP Plus can be leveraged to meet the 10th requirement of PCI DSS which is to trace and audit all events where cardholder data is accessed. Admins can configure organizational boundaries by determining which desktop applications, web domains, and email addresses are permitted to store or process sensitive data. They can also determine which users are authorized to view, copy or share classified content and all actions done by them will be logged for review. If a user accidentally or deliberately tries to send data outside of the organizational boundary, their actions will be blocked and subsequently, an alert will be sent to the admin regarding the policy breach.
To determine if the security systems or policies need adjustment, Endpoint DLP Plus provides various reports that can be analyzed for areas of improvement. Provisions like false positive notifications and business override justifications are also provided so that minor policy modifications can be made to address user needs while still ensuring overall protection. DLP policies can be scrutinized, tested and tailored to cover specific PCI DSS guidelines in order to enhance overall fortitude of the applied security measures.
Disclaimer: Fully complying with the PCI DSS requires a variety of solutions, processes, people, and technologies. As mentioned above, endpoint security and management serves as the foundation for complying with the PCI DSS. Together with other appropriate solutions, processes, and people, endpoint management not only helps reinforce your IT security but also prevent data breaches. This material is provided for informational purpose only and should not be considered as legal advice for PCI DSS compliance. ManageEngine makes no warranties, express, implied, or statutory, as to the information in this material.