Minimizing Your Data Footprint

It’s the key to reducing risk and simplifying PCI compliance, but it’s often overlooked.

Following months of intensified global cyberattacks, it’s imperative that today’s threats be met with a multilayered approach to security. Rendering cardholder data useless to criminals is the end game. This means that even if a criminal is able to steal cardholder data, its possession should be impossible to exploit.

We’re at an exciting place now in that we actually have the technology to help us do this. EMV chip, tokenization, and point-to-point encryption (P2PE) are more accessible and available than ever.

The PCI Security Standards Council will be publishing both tokenization best practices and updated P2PE requirements shortly. Used together with PCI, these technologies provide a layered approach to payment security that makes theft of cardholder data a non-event. They can also simplify the process of PCI compliance.

But they are only as good as the way in which they’re applied and implemented.

As your organization moves to take advantage of these technology solutions, the focus should be to limit the exposure of data in your systems. The first step is properly identifying the cardholder data environment to begin with.

This is a crucial but often overlooked step. Data-breach investigation reports continue to find that a large majority of companies suffering compromises were unaware that cardholder data were present in the compromised systems. And with businesses rapidly adopting a third-party operations model, this becomes an increasingly complex challenge.

With so much discussion of late about “scope reduction” for both P2PE and tokenization, it is important to remember the primary purpose of these technologies is to minimize the exposure of cardholder data, making merchants and other entities less attractive targets for criminals.

If we can limit the locations of cardholder data, the smaller subset of systems to protect should improve the focus and overall security of those systems. And better security should then lead to simpler compliance efforts.

While we’re excited about these opportunities, there are other ways to minimize where cardholder data resides. One such way is to evaluate existing business processes to determine if former ways of accepting payments are still the best ways.

In either case, knowing where your cardholder data are located is a critical part of your planning. As you move to implement the strongest security solutions and technology available to protect payments, these are some of the key things to consider when trying to reduce the cardholder data in your network:

Maintain a dataflow diagram

First, we need to identify how we can reduce the attack surface. This is first achieved by maintaining a dataflow diagram showing all locations and flows of cardholder data.

This is already required as part of Requirement 1 of the Payment Card Industry data-security standard (PCI-DSS). But how often is that reviewed during the year to confirm it reflects changes? Or is it dusted off only when the qualified security assessor comes on site, making it necessary to go through a series of mitigation steps because it’s not up to date?

Remember, the weakest link in an environment is where an entity doesn’t know that cardholder data are there. The majority of compromises occur on systems that the organization didn’t even know had access to cardholder data.

Dataflow diagrams help identify which systems require protection and may also help when responding to vulnerabilities or a potential compromise.

Meet regularly with those able to create cardholder data pathways

People. We always say that security is composed of People, Process, and Technology, but it seems the more interconnected our technology becomes, the more disconnected our professional relationships with other people become.

To help stay current with process and dataflow, we encourage regular communication with those in the company (or third-party relationships) who have the ability to create payment pathways. Are their processes up to date? What remote connections are there to third-parties?

If your organization is responsible for maintaining the dataflow diagrams (and somebody in your organization should be), have a formalized process. Place it on your calendar to meet regularly, even if it is simply to check in to confirm nothing has changed. According to the Ponemon Institute, those organizations that were doing more regular audits of the environment actually saved 55% overall on their annual cost to comply with PCI-DSS. This simple step may save your organization significant expense.

Consider a data-discovery and data-loss methodology

At the PCI Council, we view data-loss prevention as a method (not necessarily a product) to identify, monitor, and protect data in use (e.g., endpoint actions), data in motion (e.g., network actions), and data at rest (e.g., data storage) through deep content inspection, contextual security analysis of the transaction (attributes of originator, data object, medium, timing, recipient/destination, and so on) and a centralized management framework.

Data-loss prevention is not required by PCI DSS; however, it may be a valuable addition to a security strategy as part of a risk-management program.

If you don’t need it, don’t store it

Last, but most important, remove legacy cardholder data that are no longer needed. I’m often surprised by the stories of compromises where data were stored with no business or financial reason to do so.

However, you can only permanently eradicate the storage of cardholder data if you know first where your data are and then evaluate the business need for each location and flow of cardholder data.

Keep these considerations in mind when looking at ways to reduce your cardholder data footprint. When planned for and implemented properly, both point-to-point encryption and tokenization can minimize PCI-DSS complexity and improve the security of sensitive data. But don’t limit their capabilities by not properly identifying the cardholder data environment to begin with.

Troy Leach is chief technology officer at the PCI Security Standards Council, Wakefield, Mass.