PCI (Payment Card Industry) compliance is a set of standards followed by all companies and merchants accepting payment from customers via credit or debit card. Business owners and operators that accept, process, transmit or store cardholder data are required to comply with PCI security standards to ensure a secure payment card environment.
The goal of PCI compliance is to ensure that merchants provide the maximum security when processing customer payments or handling customer data.
Using an approved point-to-point encryption solution helps merchants reduce the value of stolen cardholder data because it will be unreadable to an unauthorized party.
Cardholder information can be exposed through different sources, especially if customers send sensitive, unencrypted information over email, including attachments or documents. Sensitive information can also exist in data centres (cloud) when using Box, Microsoft SharePoint, Microsoft OneDrive, or Citrix ShareFile.
For more information on PCI compliance standards, refer to PCI Securities Standards Council.
There are several forms of cardholder data, some of which is encoded, on a payment card. The following is a typical credit card and its information.
Sensitive data can be found in different places on your network and cloud:
Here is a scenario for searching for sensitive information related to payment cards.
Due to an event that requires enrollment, one of your account managers emailed a payment form with the word Mastercard written on it. The event ran from September 1 to September 7, 2017.
The Chief Information Security Officer (CISO) was notified. The CISO informs you that because of PCI compliance standards, you cannot have unencrypted payment information on your network (both on-premise and in the cloud). The CISO is aware of other similar organizations who have dealt with these issues incorrectly, and as a result, have paid fines and suffered reputation damage.
The CISO instructs you to undertake proactive auditing and remediation. You will need to search messages, documents, and attachments in emails and cloud locations that includes the word Mastercard and remove them. In this PCI audit, you must run a search with the following criteria: