How DLP Helps with PCI DSS Compliance
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security requirements that helps organizations protect their payment systems from breaches, fraud, and theft of cardholder data. Developed by the PCI Security Standards Council, PCI DSS applies to any business that processes, stores or transmits cardholder data for the world’s biggest card schemes: American Express, Discover, JCB, MasterCard, and Visa.
While PCI DSS itself is not legally binding, merchants need to comply with it as part of contractual obligations with card companies and financial institutions the world over. Banks, for example, require PCI DSS compliance before they allow merchants to accept card payments over the phone, in person, or online.
Companies found to be non-compliant face fines of up to $100,000/month and increased transaction fees and can have their relationship with their bank permanently terminated with the high risk of being added to the Merchant Alert to Control High-Risk (MATCH) list which means they would never be allowed to process card payments again.
PCI DSS compliance is made up of twelve core requirements and an associated 250 controls. They include basic security measures such as using and updating firewalls and changing default passwords and more complex ones that involve the development and maintenance of secure systems and applications.
To demonstrate PCI DSS compliance, merchants need to complete a Self-Assessment Questionnaire (SAQ) which has multiple versions to accommodate different types of businesses and processing methods. If they process over 6 million transactions yearly, they will be required to undergo auditing by an external or internal security assessor qualified by the PCI Security Standards Council.
Data Loss Prevention (DLP) solutions are some of the most useful tools for PCI DSS compliance on the market. Because their policies are applied directly to sensitive data rather than to devices or the whole network, they ensure that cardholder information is identified, logged, and controlled in order to meet PCI DSS requirements. Let’s take a closer look at the requirements DLP tools help with.
Protect stored cardholder data
Requirement three of PCI DSS refers to the need to protect stored cardholder data. In order to do this, organizations must know where data is located on their servers and have the means to control its use. DLP solutions, through their content discovery features, allow companies to scan their entire network, discover where sensitive data is being stored, how it is being used and transferred.
Solutions such as Endpoint Protector do this through predefined policies for standards such as PCI DSS which means companies don’t have to waste time building policies from scratch: DLP developers have already identified which sensitive data needs to be protected and have built-in the definitions for it.
By knowing where data is located and how it is being used, companies can begin to build efficient data protection strategies, addressing identified issues rather than taking a broad approach to compliance. A vulnerability-targeting strategy does not only protect data more effectively but also helps companies save money by ensuring that the solutions they choose are necessary.
Once DLP solutions are in place, businesses can control the transfer and storage of sensitive data on company endpoints. Its transfer via unprotected channels over the internet or to unencrypted removable devices can be blocked. Organizations can define whitelists of allowed destinations such as company-issued encrypted USBs or email addresses.
Restrict access to cardholder data by business need-to-know
Restricted access to sensitive data, the 7th requirement for PCI DSS compliance, can be easily verified and enforced through DLP content discovery scans as well. By searching employee computers, these powerful scanning tools can identify sensitive data on unauthorized individuals’ devices and promptly delete or encrypt the data where it is found. In this way, organizations can ensure that any breach of authorization policies is detected and swiftly dealt with.
Track and monitor all access to network resources and cardholder data
Under requirement 10 of PCI DSS, companies must log all security events, servers, and critical system components. While antivirus software can provide logs of security incidents, DLP solutions can generate logs of attempted unauthorized transfers and how they were resolved, proving that a company is actively protecting its data from breaches.
Logging and reports also help companies make more informed decisions about the tools they need and don’t need to implement in future data protection strategies.
Regularly test security systems and processes
For requirement 11, DLP tools, through automatic and manual scans, allow companies to test the efficiency of their data protection strategies by verifying the security of their sensitive data. By monitoring its movement, organizations can see whether employees are applying training in practice or if best practices are being circumvented in any way.
They can also discover whether certain solutions applied are effective or previous vulnerabilities persist. This can give companies a better understanding of which policies work for them and which don’t and discover potential blind spots in data protection strategies.
PCI DSS compliance is essential for any company working with banks and card payments. DLP tools can help organizations discover, monitor, and control where their data is being stored, how it is being used, and transferred, bringing them one step closer to compliance.
Download our free ebook on
Data Loss Prevention Best Practices
Helping IT Managers, IT Administrators and data security staff understand the concept and purpose of DLP and how to easily implement it.