Thursday, December 18, 2008
The podcast, entitled "Trying to Protect Payment Data When You Can't Even Find It All," recommends how information technology (IT) departments can regain control of their most sensitive cardholder data. The goal is to prevent theft by keeping sensitive data out of multiple storage facilities.
"The less storage you put in the hands of individual employees, the less likely they are to be able to put data in several places, whether it's USB [Universal Serial Bus] sticks, on their PCs, or in e-mail addresses sitting on their servers," said David Taylor, founder of the PCI Knowledge Base and former security analyst with Gartner Inc. "What we need to do is look at how we reduce the volume of scattered data."
Shift4 partnered with StoreFrontBackTalk.com and made the podcast to help merchants simplify PCI implementation and achieve total security for their payment systems. And, if implemented properly, CIRT solutions that are Payment Applications Best Practices compliant relieve merchants from the burden of storing, processing and transmitting cardholder data.
Cardholder storage and security, according to industry specialists, is the top priority of any financial institution. An IT executive's most frightening scenario is the 2 a.m. phone call from an employee who has lost cardholder information. It might happen from a power outage; missing data could be on a memory stick dropped behind an airplane seat cushion; it could be on a personal digital assistant device or cell phone stolen from a convention floor.
What happens to the card data after the crisis is over? What are your company's policies on duplicated cardholder data and its storage? How do you change employee attitudes about security and attack the human factors responsible for data breaches and theft? According to J.D. Oder, founder and Chief Technology Officer of Shift4, sound in-house company security policies need constant review and revision.
"You can strictly enforce things, even beat your employees over the head with a stick, but it's a moot point if the employee does everything right and the company infrastructure fails," Oder said. "The challenge we run into with policy is that policy is words. But it's the actions and ability to stay focused on a day-to-day basis that keeps card data in control. Breaches happen when mistakes are made, but simplifying PCI means having the right technology in place."
Taylor suggested one way to do this is to move back to business architecture with centralized computing and virtual terminal devices. The less storage you put in the hands of individual employees, the less likely they are to put data helter-skelter into data storage systems. "The point is that it will be incredibly expensive to do this," Taylor said. "What we really need to do is look at how we reduce the volume of data that is all over the place."
Finding and purging cardholder data located outside of centralized storage systems is a necessary thing, "whether you are talking about disabling individual and user functionality so they can't right-click on files and save them to their disks, or capture screens with credit card numbers on it and save it to a disk or another drive," Taylor said. "To avoid a regression, we have to greatly confine the sensitive cardholder data we have to as few locations as possible once we find it."
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.