Why Redacting Sensitive Data is Necessary for PCI Compliance
PCI compliance is about more than locking down your systems. Here's how redaction supports compliance and keeps customers safe.
PCI compliance is about more than locking down your systems. Here's how redaction supports compliance and keeps customers safe.
The Payment Card Industry Data Security Standard (PCI-DSS) is a standard established and maintained by the credit card industry for their merchants. It defines a set of 12 key requirements, along with 78 base requirements and 400 test procedures.
Any company that accepts credit card payments online must implement the PCS-DSS standard for the storing and handling of credit card data. Some of the requirements include:
Specifically, PCI-DSS requirement three directs companies on how to handle storing credit card data. Requirement 3.1 specifies that companies must remove cardholder data that has exceeded its retention period. And requirement 3.3 specifies that the card number should never be displayed openly but should always be masked, or redacted.
PCI-DSS isn't a law. However, credit card companies can - and do- pass on fines to their merchants for non-compliance.
Merchants can assess two types of fines. The first is a monthly fine for non-compliance. This can start between USD $5,000 to $10,000 a month for the first 1-3 months. If a company remains noncompliant for 7 or more months, fines can rise to between $50,000 and $100,000.
However, merchants can assess even stiffer penalties if customer credit card data is exposed. Fines for exposure are around $50 to $90 per data breach.
That "small" fine can add up quickly. In 2013, Target failed to heed warnings from its malware detection software. They lost 40 million customer records in the resulting data breach.
Businesses can suffer additional penalties at the local and national levels as well. In the United States, while PCI compliance isn't law, the Federal Trade Commission (FTC) can enforce it through court precedent.
PCI-DSS requires that all customer credit card data be stored and transmitted securely. Businesses can start on the road to compliance by implementing the PCI-DSS standards.
However, it's not enough to implement secure credit card storage and transmission. Sensitive data can also leak via your company's business applications.
Let's look at two cases where unredacted data sent via email, chat, or other business productivity apps can threaten your company's PCI compliance.
PCI-DSS section 3.2 is clear: credit card data always needs to be masked or redacted. This means you're on the hook for PCI Compliance even if you don't store credit card data directly. (For example, you use a third-party processor such as Stripe.) If you handle credit card data in any way, shape, or form, you're responsible for securing it across all of your business's tools and processes.
Unfortunately, people sometimes take shortcuts that bypass secure storage systems. For example, users may send their credit card information directly to you via e-mail. Or they may paste it into a Slack chat.
This represents a double threat to the user's security. First, they may expose their information to someone at your company who's not authorized to access credit card data. Such insider threats are as serious a risk to your company and customers as external hackers.
You can eliminate this risk by redacting information as soon as a user attempts to type it. For example, you can set up redaction on communication channels like Slack to detect the presence of credit card information and immediately replace it with redacted values.
The other role of redaction is ensuring your secure storage systems remain secure. Particularly, redaction can prevent the significant security risk of exposing sensitive credentials to the Internet.
You protect your database systems and sensitive payment APIs via security measures such as passwords, API keys, and certificates. But what happens when an engineer saves these credentials to a publicly available file, like a Google Drive file shared with the public?
This isn't a theoretical risk. ServiceNow suffered a massive data breach thanks to credentials hard-coded into a file on their Web site.
Detection and redaction of credentials help keep your systems secure and PCI compliant. You should regularly scan all of your company's data stores for:
Strac is a Data Loss Prevention (DLP) company that automates redaction of sensitive data like credit card data, cvv, credentials, and other personally identifiable information (PII) across a growing suite of applications.
Book a demo to see it in action today!
If you have any questions or want to learn how Strac can help you comply with PCI-DSS, please book a meeting with us.