ProtectComplyThrive
IT Governance USA Blog
  • About Us
  • Visit our Web Store
  • Menu
  • Blog Home
  • Business Continuity
  • Cyber Security
    • ISO 27001
    • NYSE Guides
    • Risk Management
  • Data Protection
  • IT Best Practice
    • ITIL/ITSM/ISO 20000
    • Project Management
  • IT Governance
    • COBIT
  • PCI DSS
  • Other Blogs

Having trouble complying with the PCI DSS? Here are some tips

espellman May 30, 2018

Keeping cardholder data secure can be incredibly difficult, but have you tried… not storing so much information?

You’d be surprised at how effective that apparently flippant advice is. Organizations often store more information than they need, making security trickier than it should be. Take primary account numbers (PANs). This information is needed far less often than cardholders’ names and card numbers, but organizations habitually collect all three as a matter of course, going to extra measures to protect something they don’t even need.

Removing PANs means you dramatically reduce the scope of your cardholder data environment (CDE) and reduce the amount of work you need to do to comply with the Payment Card Industry Data Security Standard (PCI DSS). Sometimes, less really is more.

There are many other ways you can reduce the scope of your CDE and make PCI DSS compliance simpler. Here are a few of the most effective:

Segmentation

Network segmentation is the process of separating a network into smaller sub-sections, limiting the ways in which they can communicate with each other. To be considered out of scope for the PCI DSS, a system must be isolated in such a way that the CDE will be unaffected by a breach.

Segmentation can be achieved via:

  • Firewalls to segment internal zones
  • Switches, which are often used behind a firewall to segment network zones
  • Air gapping, in which organizations use separate network connections for different segments
  • Analog phone lines to completely remove the threat of network breaches

Restricting access

An organization’s biggest weakness is often its own staff, so it’s important to implement access controls to ensure information is only accessed on a need-to-know basis. This means fewer people can obtain sensitive information, mitigating the risk of it being misused.

Part of this process will involve making sure that systems only store information that’s relevant for particular tasks. For example, you should assess your databases and the way they collect inbound and outbound traffic. Databases that collect all the information they require through an outbound channel shouldn’t be connected to an inbound channel.

Other methods

* E-commerce merchants will benefit from using third-party payment providers. This puts a whole section of the Standard out of scope

* Organizations should consider storing tokenization, in which PANs are replaced by tokens (i.e. a series of random digits). They can still be used to identify the customer on the organization’s network, but have no value for malicious use

* If your organization uses PIN entry devices, you should ensure that they implement point-to-point encryption. This converts payment card data into a code, preventing criminal hackers from intercepting information in transit

Want to know more?

For practical advice on the Standard and how you can minimize your compliance requirements, join us for our free webinar: PCI DSS: Reducing the cardholder data environment. You’ll learn:

* Which system components, people, and processes need to be included in the scope

* How to create an accurate data flow diagram to map the movement of cardholder data

* What to include when mapping the IT infrastructure and external connections

* Effective methods for reducing the scope of your CDE

This webinar takes place on Friday, June 1, 2018 at 10:00 a.m. (EDT)

Register >>

If you can’t make it, the presentation will be available to download from our website, where you can also browse our other PCI DSS webinars.

Related Posts

Top five cybersecurity predictions for 2018

FBI

FBI warns banks of global ATM cash-out threat

Duke

NERC fines Duke Energy $10 million for cybersecurity failings

About The Author

espellman

    Social Media

    Recent Posts

    • Facebook Facebook Business Users Targeted By Malware Campaign
    • U.S. to Expand Middle East Cyber Alliance to Combat Iran Threat
    • The Importance of Data Protection for Small Businesses
    • Aerojet Rocketdyne to Pay $9 Million over Cybersecurity Violations
    • How Small Businesses Can Take Advantage of Blockchain Security

    Categories

    • Business Continuity
    • CCPA
    • Cyber Security
      • CMMC
      • ISO 27001
      • NYSE Guides
      • Risk Management
    • Data privacy
    • Data Protection
      • #BreachReady
    • EU GDPR
    • HIPAA
    • IT Best Practice
      • ITIL/ITSM/ISO 20000
      • Project Management
    • IT Governance
      • COBIT
    • News
    • NIS Directive
    • NIST
    • NY Cybersecurity Requirements
    • NYDFS
    • Other Blogs
      • Book Reviews
      • Breaches and Hacks
      • Guest Posts
      • Podcasts
      • Product Blog
      • Quiz
      • Technical Experts
      • Training
    • PCI DSS
    • Penetration Testing
    • Phishing
    • SOC 2
    • Uncategorized
      • State data privacy laws
IT Governance USA Blog Copyright © 2022.