Solving PCI DSS Demands on CISOs

All organizations that handle credit card or other types of payment card data must effectively and efficiently meet all of the various sections of PCI DSS 3.2 for PCI compliance and data security. Just like SOX or GDPR compliance, a failure to protect cardholder data can result in stiff penalties and fines as well as associated costs in settlements, legal fees and reputation loss. Many CISOs have stated that a guide to meeting each section of the PCI compliance regulation is needed due to the following:

  • Too many vulnerabilities to sufficiently address to be PCI compliant due to limited manpower resources
  • A lack of a systematic and automated process which aligns to the various compliance sections for protecting credit card data
  • Multiple and non-integrated DLP solutions both on premise and in the cloud that do not sufficiently and specifically address the PCI security standards and mitigate risk
  • None or very little up-to-date threat intelligence or vigilance of data at rest and/or data in use as specified by the PCI SSC (PCI Security Standard Council)
  • A patch work of solutions and standard operating procedures regarding the compliance of the PCI security Standards council for PCI data

However, with the right partner for rapid discovery, accurate classification and automated protection of your PCI DSS payment card data, information security officers can now easily and cost effectively address most if not all of your PCI DSS data security compliance requirements.  

How To Get There

Step 1: Rapid Data Discovery

You can’t protect what you can’t find. Easier said then done, but with the appropriate “data at rest” security solution you can do just that. The key to complying with the designated entities.2 as well as requirement 7 for PIC compliance is to make sure that all of the pre-loaded data sets to be PCI compliant are available and ready to implement. In addition, make sure that at the same time you can load your own necessary data sets that are particular to your organization and your cardholder data. Data such as intellectual property or unstructured data such as that miscellaneous credit card number associated in a word doc or Excel spreadsheet. Your solution should also continue to protect your credit card data by discovering in “real time” all new PCI cardholder data collected.  

Step 2: Accurate Classification

Once you find your structured and unstructured PCI compliant sensitive data you need to have a DLP solution that can accurately classify the PCI data. Whether a small organization with a minimal sized PCI data base or an organization using Splunk for big data management, it’s impossible to do so with just your own personnel. And that includes investigating and resolving any and all false positives of the data security standard. To keep your costs down and compliance up, make sure your application can return less than 5% false positives for PCI credit card data. Under 3% is fantastic for accurate PCI compliant classification which will return an excellent ROI as well as praises from the CIO and board of directors.

Step 3: Automatic Remediation

To be cybersecure and meet requirements six and seven, the automatic remediation of all existing and newly acquired PCI cardholder data is necessary. Your application should allow for various types of data protection and also provide for the automatic remediation based on administratively set policies. Not only will this guard against unauthorized access due to phishing attacks but also from unintentional internal abuse regarding DSS compliance. The added benefit is that your organization, with the appropriate dashboard, will be able to review and monitor the audit logs for all past and present days per PCI DSS requirement 10.

This post guides CISOs in meeting PCI DSS requirements using Spirion for rapid discovery, accurate classification and automated protection of all payment card data. Request the detailed whitepaper here.