This year, the Payment Card Industry Data Security Standard (PCI DSS) is celebrating its 15th birthday. And while PCI DSS continues to evolve, data storage remains a central aspect to compliance for any organization that handles sensitive cardholder data. How companies approach, manage, and guard their data storage is critical to both keeping hackers at bay and maintaining PCI compliance.
In RSI Security’s recent PCI Expert Summit, Stephen Cavey brought data storage into focus with regards to PCI compliance. Stephen is the co-founder and chief evangelist of Groundlabs, a data reconnaissance and discovery platform designed to aid in PCI compliance. As an expert in data storage, Stephen illuminated attendees about how PCI has evolved with regards to data storage, common mistakes companies make in data storage, and how to uncover potentially vulnerable hidden data.
Read on for a recap of Stephen’s presentation and how you can put data storage into greater focus while undertaking PCI compliance.
Trends in PCI and Data Storage
First, Stephen covered current developments in PCI and data storage activities and technology. Currently, Visa and Mastercard are seeing an increase in card-not-present fraud. Payment processors are therefore upping their game and continuing to put additional standards in place to protect stored data and reduce card not present fraud.
Moreover, Stephen notes that PCI compliance levels have declined again in recent years. A huge factor is that many companies have a “one and done” mindset, treating PCI compliance as a one-time event rather than an ongoing endeavor. In Stephen’s experience, it often takes time to ramp up to an ongoing compliance mindset that’s required to find, inventory, and protect your data storage infrastructure.
Stephen cautions that PCI compliance is not a project, and never was. It’s an ongoing mindset, especially in relation to data storage measures. As more information technology (IT) infrastructure moves towards the cloud, there are an increasing number of data storage endpoints that hackers are seeking to exploit. That’s why knowing where all of your data resides is so important in PCI compliance.
Uncovering Hidden Storage Risks
Stephen drove home the fact that one of the biggest data storage risks in PCI compliance is simply not knowing where all of your data lives. Many organizations have scattered systems and storage networks, and haven’t conducted a thorough inventory of where cardholder is. Companies need the right combination of people, processes, and technology to reduce the data storage attack surface as much as possible.
Many organizations therefore need systems or software to look behind the scenes, scouting out and discovering previously unknown cardholder data locations. In addition, companies should be wary of where and how they store non-card data of customers that can potentially be exploited. This includes things like addresses, telephone numbers, and social security numbers stored throughout the company.
The goal is to leave no stone unturned and eliminate any assumptions that there’s potentially hidden information that might be hacked or stolen. That’s why starting with data discovery of storage systems is the best foundation towards driving PCI compliance. The good news is that there are software and technology partners that merchants can work with to ensure all critical data is inventoried and accounted for.
Looking Ahead to PCI 4.0
While PCI version 4.0 is still in the request for proposal (RFP) stage, there are several key developments that Stephen says to expect that will impact how businesses manage and protect data storage infrastructure. For example, increased standards around multi-factor authentication and encryption for data-in-transit to and from storage locations is expected to be put forthe under PCI 4.0.
Stephen also says it’s important for businesses to understand where penalties will come from and who levies them. It’s often a misconception that the PCI Council is the one enforcing and collecting fines. But in reality, it’s the card brands like Visa and MasterCard that are the ones legally responsible for levying fines. This isn’t expected to change under PCI 4.0, and companies should be prepared to work with those card brands in the event of a breach or violation.
While there will likely be a complete re-numbering of requirements under PCI 4.0, the basic principles of data storage and compliance will remain constant. Companies should use reconnaissance software to gain a clear picture of where each and every bit of data resides. This goes for both card numbers and associated data alike. By putting data storage in scope and focus, businesses can avoid unnecessary PCI compliance headaches, penalties, and fines on an ongoing basis.