The rules set forth by PCI-DSS can seem complicated. Four levels, 12 requirements, multiple credit card brands: it’s easy to get lost in the details of PCI-DSS requirements.
However, merchants who fail to meet the PCI compliance standard face heavy consequences. Not only do these companies put their customer data at risk, they also may face hefty fines that can range from $5,000 to $100,000 per month. Ultimately, however, the goal of PCI compliance is to protect customer data from falling into the wrong hands. To that end, there are plenty of data discovery tools that can help you identify where customer data needs to be protected and act accordingly.
PCI data protection requirements
The PCI-DSS regulation includes twelve requirements as laid out in the official PCI-DSS Quick Reference Guide. These are relatively broad requirements, but they require that business owners take concrete steps to maintain data security.
The 12 PCI-DSS requirements are:
- Install and maintain a firewall to protect cardholder data.
- Use unique passwords and other security parameters, never vendor-supplied default passwords or other security parameters.
- Use SSL-level encryption if cardholder data is transmitted across networks.
- Store cardholder data securely.
- Update antivirus and malware protection regularly.
- Maintain secure systems and applications.
- Restrict access to cardholder data to only users who need it.
- Restrict physical access to cardholder data, such as device access.
- Require users to log in or authenticate to access system components.
- Track and monitor access to network resources and cardholder data.
- Test security systems regularly.
- Create an information security policy and update it regularly.
Discovering unencrypted card data falls under Requirement 3.1. In addition, requirements four, six, and seven through nine all pertain to maintaining security for sensitive customer data. However, these requirements aren’t prescriptive: it’s up to the merchant to decide how to restrict cardholder data access and store data securely. This is where PCI data discovery tools can help.
What to look for in PCI data discovery tools
Cardholder data can include typical personally identifiable information — email addresses and phone numbers, for instance — as well as card data, such as primary account number (PAN), magnetic stripe data, card verification code (CVV) and the PIN number.
Card data discovery tools scan, identify, and analyze networks, cloud platforms, and devices for sensitive cardholder information. These tools discover where the merchant is storing or using sensitive customer data. Then the tools help IT teams assess how effective control systems are to support the confidentiality of that data.
In the process of vetting and trialing different data discovery tools, organizations should keep a few things in mind. First, data discovery tools should work across the organization. The goal of data discovery is to uncover where card data is stored: therefore, this must encompass the entire organization, not limited to the card data environment.
To that end, data may reside on different platforms. PCI data discovery tools can scan systems, databases, networks, and cloud platforms. It may be the case that the organization needs multiple tools to cover all the different systems that support the organization. Identify all the databases, operating systems, devices, and cloud software that will need to be scanned before vetting your data discovery tools.
Card data can also be stored in many different formats, so make sure you find a tool that scans both structured and unstructured data. Card data can even be found in temp files, so make sure your tool is able to handle all different types of formats.
And, finally, it’s important to find a tool that cuts down on the IT security team’s manual processes. Data discovery tools that use machine learning and AI take the burden off IT and security teams to constantly monitor and manually look for vulnerabilities. If there is an instance of unsecured data, these tools can decrease the mean time required to resolve the issue.
Best PCI data discovery tools
Scanning for sensitive data is a multi-step process that involves different types of data discovery tools. The PCI Security Standards Council provides a list of security solutions, including PCI point-to-point encryption (P2PE) solutions and secure SLC-qualified software vendors.
Once those have been implemented, IT teams should review the existing network, data flow, and cardholder data (CHD) locations. As more and more organizations work remotely, securing cardholder data in cloud environments is often the first priority.
Nightfall’s cloud DLP solution can help you first discover and classify sensitive PII and PCI data that must be protected. Nightfall uses machine learning detectors individually trained to identify specific types of cardholder data that is protected by PCI compliance regulations. Next, the platform provides a way to quickly remediate any security issues by notifying admins and quarantining or deleting data. This reduces the risk of losing or exposing sensitive customer data.
Nightfall’s classification is automatic and highly accurate, meaning IT security teams spend less time tagging data manually, reviewing false positives or grappling with alert fatigue. And, Nightfall enables users to create automatic workflows that take action on sensitive data proactively, reducing mean time to resolution.
Learn more about how Nightfall’s data discovery features can help IT teams protect sensitive PCI information by scheduling a demo.