E-commerce businesses today heavily rely on credit card transactions for providing consumers the convenience of online shopping. With millions of financial transactions happening each day, no wonder we witness huge amounts of credit card frauds. To address this issue, Payment Card Industry Data Security Standards (PCI DSS) were introduced by a consortium of credit card issuers, including MasterCard and Visa to secure the process of online payment. This was an initiative developed to provide best practices for securing IT systems and establishing secure processes for the use, storage, and transmission of credit card data in the E-commerce business.
While PCI DSS is interpreted as one of the best ways to mitigate the risk of an external threat, the unauthorized use of credit card data remains to be a major concern. Here, the process of Data Loss Prevention (DLP) is one solution that addresses this issue and helps safeguard credit card data. Most experts of the industry today acknowledge the fact that DLP plays a crucial role in preventing unauthorized use of data. Hence it must be introduced as a part of PCI compliance and credit card data security policy. Given that even a single incident of data loss can lead to penalties from card holding institutions, it is highly recommended that a DLP solution be considered to achieve Compliance and secure the PCI Environment. Having said that, in today’s article we have discussed how DLP technology can help with the PCI DSS Compliance.
What is Data Loss Prevention?
Data Loss Prevention which is also referred to as DLP is a technology that helps reduce the risks against unauthorized use or control over sensitive data. It is an information security strategy that ensures the internal network users do not intentionally or unintentionally access / send sensitive data outside the organization or even to unauthorized users within the same organization. The tools which include monitoring, filtering, blocking, and remediation features, address the risk of inadvertent or accidental leakage of sensitive data.
How does DLP work?
Data Loss Prevention is an approach that helps improve information security and protect sensitive information. It prevents end-users from unauthorized access or use of data and further enables network administrators to monitor data accessed and shared by end-users. DLP solutions can be used for classifying and prioritizing data security and ensuring access policies meet various compliance requirements. DLP can be host-based (in which there are agents on endpoints, servers, databases, etc.) or network-based (a box sitting and passively monitoring network traffic in promiscuous mode. Depending on the design, an organization can have both host-based and network-based DLP rollouts. DLP solutions go beyond simple detection and provide alerts, enforces encryption, and data classification. Given below are some common features of DLP solutions that can be beneficial for achieving Compliance
Common features in DLP solutions include-
- Monitoring systems– The tool comprises of features like monitoring systems and data that provides visibility to data and system access. This prevents unauthorized access to sensitive information.
- Filtering data– The tool has features of filtering data streams that help restrict suspicious or unidentified activity.
- Reporting—DLP tools provide logging and reports that are useful for incident response and auditing.
- System & Data Analysis- The tool identifies vulnerabilities and suspicious behavior in systems and provides forensic reports to the security team.
DLP solutions for achieving Compliance:
- Policy enforcement—DLP tools can help organizations identify gaps in the existing policy, thus making it easier to correct misconfigurations in applications or database access.
- Meeting compliance standards—DLP tools can identify gaps in the current configurations against the compliance standard requirement and provide necessary measures for the same.
- Data visibility—DLP tools help secure sensitive data and reduce the risk of data leakage.
Bridging security gaps with DLP technologies
- DLP tools facilitate data classification and prioritization that further helps to implement necessary data security measures.
- DLP also facilitates data inventory that prevents unauthorized data storage and use.
- DLP technology facilitates controlled access and use of sensitive information.
- DLP can prevent data leakage into USB drives, unauthorized emails, unauthorized alteration, and unauthorized upload to Internet websites.
How can DLP help with the PCI DSS Compliance?
The PCI DSS standard requirements can be addressed by employing DLP technology as suggested below.
|1||Protect stored cardholder Data.||A DLP Discovery tool can accurately help locate unencrypted data in the network. The technology guides users to automatically encrypt sensitive information, delete information, or provide other remediation according to set policies of the organization. The tool automatically or manually scans the entire network for credit card information and encrypts or delete it if found on unauthorized users’ computers|
|2||Encrypt transmission of cardholder data across public and open networks.||The DLP Network version helps identify and encrypt unprotected data before they are shared on a public network. Moreover, the tool allows the admin to monitor credit card information. It permits transfers of information through predefined policies, and also block its transfer through exit points deemed insecure.|
|3||Restrict access to cardholder data.||DLP accurately identifies all file shares containing unencrypted information. It further guides the encryption of information or moving sensitive information to secure storage with appropriate access controls in place.|
|4||Log & Log Monitoring||DLP tool generates logs of attempted unauthorized transfers and security incidents, preventing incidents of data leakage.|
|5||Regular test security systems and processes.||Frequently performing a DLP Discovery scanning will help identify weak areas, level up security status, and maintain awareness of sensitive data locations. The tool controls unauthorized cut/paste of unencrypted information to connected devices.|
Word of Caution
Rolling out DLP is an extremely time consuming and resource-intensive affair. It is definitely not as simple as rolling out some specific hardware or software and letting them run in “discovery mode”. A DLP rollout process starts with a dedicated set of professionals conducting data discovery in the enterprise, identifying the ingress and egress points, identifying who needs access to what data, identifying what data can be shared in what form, reporting parameters, alerting parameters, and many other parameters. Based on the results and information collected, a “Data Security Matrix” is defined. This Data Security Matrix can then become the RFP parameters for the purchase of the DLP product.
Another essential point to be noted is that DLP will only protect specific sensitive data within the network boundaries of an organization. For protecting data beyond organizational boundaries, you would need a DRM (Digital Rights Management) tool. In all our years of experience, we have seen that organizations based on their process requirements need a blend of Host-based DLP, Network-based DLP, and DRM rollout.
PCI DSS Compliance is essential for organizations dealing with card payments. It sets strong security measures against external threats and prevents data breach. But using the DLP tool can help organizations discover, monitor, and control their data stored within the organization and prevent the risk of internal threats. The tool helps administrators monitor how the data is being used and transferred, bringing them one step closer to achieving compliance. Data Loss Prevention is therefore an essential tool for PCI DSS compliance. The tool ensures that cardholder information is identified, prioritized logged, and controlled, thus helping organizations meet PCI DSS requirements and protect data against internal threats.
Narendra Sahoo (PCI QSA, PCI QPA, CISSP, CISA, CRISC) is the Founder and Director of VISTA InfoSec.