Why Redacting Sensitive Data is Necessary for PCI Compliance

TL;DR:

• PCI-DSS is a standard for handling credit card data that all companies accepting online payments must implement.
• Non-compliance can result in monthly fines and penalties for data breaches.
• Redaction of sensitive data is necessary for PCI compliance to prevent insider threats and exposure of credentials.
• Strac is a DLP (Data Loss Prevention) company that automates redaction of sensitive data like Credit Card across various applications (SaaS, Cloud Apps, etc.).
• Book a demo with Strac to learn more about how they can help with PCI compliance.

What is PCI Compliance?

The Payment Card Industry Data Security Standard (PCI-DSS) is a standard established and maintained by the credit card industry for their merchants. It defines a set of 12 key requirements, along with 78 base requirements and 400 test procedures.

Any company that accepts credit card payments online must implement the PCS-DSS standard for the storing and handling of credit card data. Some of the requirements include:

• Implementing and maintaining proper overall security, such as creating a firewall, implementing proper password protection, and installing anti-virus software
• Encrypting credit card data both at rest (i.e., when stored in a database) and in transit (i.e., being sent over the Internet)
• Restricting both physical and virtual access to sensitive customer data

Specifically, PCI-DSS requirement three directs companies on how to handle storing credit card data. Requirement 3.1 specifies that companies must remove cardholder data that has exceeded its retention period. And requirement 3.3 specifies that the card number should never be displayed openly but should always be masked, or redacted.

The costs of ignoring PCI compliance

PCI-DSS isn't a law. However, credit card companies can - and do- pass on fines to their merchants for non-compliance.

Merchants can assess two types of fines. The first is a monthly fine for non-compliance. This can start between USD $5,000 to $10,000 a month for the first 1-3 months. If a company remains noncompliant for 7 or more months, fines can rise to between $50,000 and $100,000.

However, merchants can assess even stiffer penalties if customer credit card data is exposed. Fines for exposure are around $50 to $90 per data breach.

That "small" fine can add up quickly. In 2013, Target failed to heed warnings from its malware detection software. They lost 40 million customer records in the resulting data breach.

Businesses can suffer additional penalties at the local and national levels as well. In the United States, while PCI compliance isn't law, the Federal Trade Commission (FTC) can enforce it through court precedent.

How redaction helps with PCI compliance

PCI-DSS requires that all customer credit card data be stored and transmitted securely. Businesses can start on the road to compliance by implementing the PCI-DSS standards.

However, it's not enough to implement secure credit card storage and transmission. Sensitive data can also leak via your company's business applications.

Let's look at two cases where unredacted data sent via email, chat, or other business productivity apps can threaten your company's PCI compliance.  

Redaction of credit card data from business applications for PCI compliance

PCI-DSS section 3.2 is clear: credit card data always needs to be masked or redacted. This means you're on the hook for PCI Compliance even if you don't store credit card data directly. (For example, you use a third-party processor such as Stripe.) If you handle credit card data in any way, shape, or form, you're responsible for securing it across all of your business's tools and processes.

Unfortunately, people sometimes take shortcuts that bypass secure storage systems. For example, users may send their credit card information directly to you via e-mail. Or they may paste it into a Slack chat.

This represents a double threat to the user's security. First, they may expose their information to someone at your company who's not authorized to access credit card data. Such insider threats are as serious a risk to your company and customers as external hackers.

You can eliminate this risk by redacting information as soon as a user attempts to type it. For example, you can set up redaction on communication channels like Slack to detect the presence of credit card information and immediately replace it with redacted values.

‎

Redaction of sensitive systems information from business applications for PCI compliance

The other role of redaction is ensuring your secure storage systems remain secure. Particularly, redaction can prevent the significant security risk of exposing sensitive credentials to the Internet.

You protect your database systems and sensitive payment APIs via security measures such as passwords, API keys, and certificates. But what happens when an engineer saves these credentials to a publicly available file, like a Google Drive file shared with the public?  

‎This isn't a theoretical risk. ServiceNow suffered a massive data breach thanks to credentials hard-coded into a file on their Web site.

Detection and redaction of credentials help keep your systems secure and PCI compliant. You should regularly scan all of your company's data stores for:

• Credentials located in files; and
• Overprivileged access - particularly folders in shared drives or cloud storage that are open to the public.

Automate redaction for PCI compliance

Strac is a Data Loss Prevention (DLP) company that automates redaction of sensitive data like credit card data, cvv, credentials, and other personally identifiable information (PII) across a growing suite of applications.

Book a demo to see it in action today!

Any questions?

If you have any questions or want to learn how Strac can help you comply with PCI-DSS, please book a meeting with us.