Keeping cardholder data secure can be incredibly difficult, but have you tried… not storing so much information?
You’d be surprised at how effective that apparently flippant advice is. Organizations often store more information than they need, making security trickier than it should be. Take primary account numbers (PANs). This information is needed far less often than cardholders’ names and card numbers, but organizations habitually collect all three as a matter of course, going to extra measures to protect something they don’t even need.
Removing PANs means you dramatically reduce the scope of your cardholder data environment (CDE) and reduce the amount of work you need to do to comply with the Payment Card Industry Data Security Standard (PCI DSS). Sometimes, less really is more.
There are many other ways you can reduce the scope of your CDE and make PCI DSS compliance simpler. Here are a few of the most effective:
Segmentation
Network segmentation is the process of separating a network into smaller sub-sections, limiting the ways in which they can communicate with each other. To be considered out of scope for the PCI DSS, a system must be isolated in such a way that the CDE will be unaffected by a breach.
Segmentation can be achieved via:
- Firewalls to segment internal zones
- Switches, which are often used behind a firewall to segment network zones
- Air gapping, in which organizations use separate network connections for different segments
- Analog phone lines to completely remove the threat of network breaches
Restricting access
An organization’s biggest weakness is often its own staff, so it’s important to implement access controls to ensure information is only accessed on a need-to-know basis. This means fewer people can obtain sensitive information, mitigating the risk of it being misused.
Part of this process will involve making sure that systems only store information that’s relevant for particular tasks. For example, you should assess your databases and the way they collect inbound and outbound traffic. Databases that collect all the information they require through an outbound channel shouldn’t be connected to an inbound channel.
Other methods
* E-commerce merchants will benefit from using third-party payment providers. This puts a whole section of the Standard out of scope
* Organizations should consider storing tokenization, in which PANs are replaced by tokens (i.e. a series of random digits). They can still be used to identify the customer on the organization’s network, but have no value for malicious use
* If your organization uses PIN entry devices, you should ensure that they implement point-to-point encryption. This converts payment card data into a code, preventing criminal hackers from intercepting information in transit
Want to know more?
For practical advice on the Standard and how you can minimize your compliance requirements, join us for our free webinar: PCI DSS: Reducing the cardholder data environment. You’ll learn:
* Which system components, people, and processes need to be included in the scope
* How to create an accurate data flow diagram to map the movement of cardholder data
* What to include when mapping the IT infrastructure and external connections
* Effective methods for reducing the scope of your CDE
This webinar takes place on Friday, June 1, 2018 at 10:00 a.m. (EDT)
Register >>
If you can’t make it, the presentation will be available to download from our website, where you can also browse our other PCI DSS webinars.
