What is PCI Compliance?

The Payment Card Industry Data Security Standard (PCI-DSS) is a standard established and maintained by the credit card industry for their merchants. It defines a set of 12 key requirements, along with 78 base requirements and 400 test procedures.

Any company that accepts credit card payments online must implement the PCS-DSS standard for the storing and handling of credit card data. Some of the requirements include:

• Implementing and maintaining proper overall security, such as creating a firewall, implementing proper password protection, and installing anti-virus software
• Encrypting credit card data both at rest (i.e., when stored in a database) and in transit (i.e., being sent over the Internet)
• Restricting both physical and virtual access to sensitive customer data

Specifically, PCI-DSS requirement three directs companies on how to handle storing credit card data. Requirement 3.1 specifies that companies must remove cardholder data that has exceeded its retention period. And requirement 3.3 specifies that the card number should never be displayed openly but should always be masked, or redacted.

The costs of ignoring PCI compliance

PCI-DSS isn't a law. However, credit card companies can - and do- pass on fines to their merchants for non-compliance.

Merchants can assess two types of fines. The first is a monthly fine for non-compliance. This can start between USD $5,000 to $10,000 a month for the first 1-3 months. If a company remains noncompliant for 7 or more months, fines can rise to between $50,000 and $100,000.

However, merchants can assess even stiffer penalties if customer credit card data is exposed. Fines for exposure are around $50 to $90 per data breach.

That "small" fine can add up quickly. In 2013, Target failed to heed warnings from its malware detection software. They lost 40 million customer records in the resulting data breach.

Businesses can suffer additional penalties at the local and national levels as well. In the United States, while PCI compliance isn't law, the Federal Trade Commission (FTC) can enforce it through court precedent.

How redaction helps with PCI compliance

PCI-DSS requires that all customer credit card data be stored and transmitted securely. Businesses can start on the road to compliance by implementing the PCI-DSS standards.

However, it's not enough to implement secure credit card storage and transmission. Sensitive data can also leak via your company's business applications.

Let's look at two cases where unredacted data sent via email, chat, or other business productivity apps can threaten your company's PCI compliance.

PCI-DSS section 3.2 is clear: credit card data always needs to be masked or redacted.

This means you're on the hook for PCI Compliance even if you don't store credit card data directly. (For example, you use a third-party processor such as Stripe.) If you handle credit card data in any way, shape, or form, you're responsible for securing it across all of your business's tools and processes.

Unfortunately, people sometimes take shortcuts that bypass secure storage systems. For example, users may send their credit card information directly to you via e-mail. Or they may paste it into a Slack chat.

This represents a double threat to the user's security. First, they may expose their information to someone at your company who's not authorized to access credit card data. Such insider threats are as serious a risk to your company and customers as external hackers.

You can eliminate this risk by redacting information as soon as a user attempts to type it. For example, you can set up redaction on communication channels like Slack to detect the presence of credit card information and immediately replace it with redacted values.

Strac DLP protects customer with PCI compliance by redacting credit card information immediately.

PCI DSS 4.0: 12.5 Requirement: A Request for Action for Comprehensive Discovery

The Payment Card Industry Data Security Standard (PCI DSS) version 4.0 emphasizes the importance of thorough data discovery methods. Under Section 12.5.2 of PCI 4.0, it is compulsory for organizations to pinpoint every area where account data is kept, handled, and sent. This directive is not merely a recommendation; it's an essential compliance obligation that goes beyond the Cardholder Data Environment (CDE) to include applications, system transmissions, and file backups.

Automate redaction for PCI compliance - Video

Strac is a Data Loss Prevention (DLP) company that automates redaction of sensitive data like credit card data, cvv, credentials, and other personally identifiable information (PII) across a growing suite of applications. Strac redacts PCI data in email body and attachment for Microsoft Office 365, Gmail. Also in customer support apps like Zendesk, Salesforce, HubSpot, Intercom. Also in Slack, and bunch of SaaS, Cloud apps and Endpoint. See all Integrations: https://strac.io/integrations

Book a demo to see it in action today! Also, please read more about Card Data Discovery tool here: ‎https://www.strac.io/blog/card-data-discovery-tool

Any questions?

If you have any questions or want to learn how Strac can help you comply with PCI-DSS, please book a meeting with us.

‍