3 Ways To Secure Your Unstructured PCI Data

PCI stands for two things - Payment Card Information or Protection Critical Information, and this is something many businesses aren’t sure how to effectively protect and secure when in unstructured data formats.

Protecting unstructured content and your company’s other sensitive data is key in today’s modern business world, and its importance is growing all the time, with the volume of unstructured data growing at around 62% per year. Furthermore, the importance of effectively protecting sensitive data has been magnified most recently with monumental data security failings of the  Panamanian law firm Mossack Fonseca and the Panama papers leak.

In this latest post, we look to help merchants and organizations who have a legitimate reason to store sensitive data better understand the measures they can take towards effectively protecting their unstructured PCI data. With our new SmarterDLPTM solution organizations now have a multitude of ways to protect and secure their unstructured PCI data. We wanted to introduce and discuss three technology types available to ensure your data is only available, accessible, or viewable to the employees who need it while ensuring the PCI data is completely protected even outside of your network.

Tokenization

What is tokenization?

Tokenization regarding PCI data security is the process of substituting sensitive credit card information with a unique generated placeholder, or “token” — much like emptying a warehouse so that a thief has nothing to steal. Tokenization technology can be used and applied to sensitive data of all kinds including bank transactions, medical records, criminal records, financial data and stock trading information. The Tokens have no meaning by themselves and are worthless to criminals if a company’s system is breached in any way. For example, if a customer’s actual credit card number was 8154 3545 5555 6565, it might become BGKV234AOD54POU when a token is produced. The token is randomly generated and there is no set of rules to regain the original card number — There is no code to crack or way of hackers reversing the process to regain the actual credit card number, even if they were to grab the tokens off your servers. Tokenizing is a simple and effective way of protecting unstructured content and data in you systems.

 How do I tokenize my PCI data?

There are numerous tokenization solutions out there which will enable you to tokenize and secure your unstructured PCI data (assuming you know where it is). However, our new SmarterDLPTM solution not only can tokenize unstructured and structured PCI data but also has the unique ability to discover the sensitive PCI data for you in the first place, saving you time, money, and effort.

 Is Tokenization right for my business?

This technology is particularly suitable for CNP - Client NonPresent transactions (A CNP transaction is one where the cardholder and the card are not present at the point-of-sale), particularly where merchants have repeat billing, such as card-on-file and e-commerce situations. Examples: Sales made over the Internet, Telephone orders, Mail order.

Redaction

What is PCI Redaction?

Redaction is the removal, covering, or hiding of your PCI sensitive data within a document or database. Redaction (as seen above) is most commonly known as blacking out the problematic /sensitive info within your structured or unstructured data. Traditionally, redaction meant cutting out sections of a document or using a black marker to obscure the confidential information and then photocopying/scanning the redacted document into your system.

 What to look for in redaction software?

So what’s important in PCI redaction software, one key question for you to answer, is, do you deal with large-scale data sets? If the answer is ‘yes’, then your redaction software should include:

• The ability to work with multiple file formats such as Word, Excel, PDF, TIFF, image files, and CAD drawings
• Text-based searching for specific words or word strings to be marked for redaction
• Text-pattern recognition of predefined text to be redacted, such as personal addresses and credit card numbers
• The ability to create nonstandard pattern searches
• Zone-based redaction to designate specified areas that are consistent from document to document

When is PCI Redaction useful?

A prime example: One of your sales team receives an email order from a customer, volunteering their credit card and address details, happens occasionally right? What if I told you this is a serious risk for both you and the customer? The reason for this is that the PCI data is outside of a controlled network. The problem can be multiplied further if your employee replies to/or forwards an email containing the unstructured PCI information inside or outside your organization over sometimes open and even public networks (the data is at risk even if your employee it is just sending a response to the sender).

Similar violations can also occur when a customer submits their payment card information through your organization’s potentially non-compliant “contact us” website forms or even your social media platforms. These front end applications often feed into other systems which store and therefore multiply the card data throughout your servers, such as marketing automation and CRM tools. The point we’re making here is that you now have unprotected unstructured PCI data distributed throughout your environment that now needs to be Discovered, Secured and potentially Redacted to keep your customers safe and business legislatively compliant.

 Is Redaction right for my business?

Automated PCI Redaction systems are a useful tool for all organizations that deal directly with or hold credit card details on their customers. With a PCI compliant redaction tool, there is no need for manual redaction, which is not only time consuming but also fails to offer any guarantee of the accuracy. Redaction tools would be useful for large businesses who regularly receive email orders, or who have multiple front end contact platforms that receive customer orders/ and information on a daily basis.

Encryption

What is PCI Data Encryption:

Encrypting PCI data gives organizations the ability to scramble data in such a way that only someone with certain passwords, security clearances or access rights can see and access the data. Today, encryption is more important and more sophisticated than ever before, allowing individuals and organizations to securely pass data from one place to another without anyone else being able to access or read it. Encryption adds an extra layer of security when someone attempts to raid your PCI data. All data formats and storage devices should be encrypted to prevent internal and external hackers from accessing and leaking information that could be potentially harmful to both your organization and your clients.

 Is PCI Data Encryption right for my business?

PCI data Encryption has become particularly prevalent in recent years with the dramatic increase of e-commerce businesses, as it allows confidential information such as credit card details to be sent securely and stored by the e-commerce retailer. However, encryption isn't just necessary for front end systems; it is also potentially vital within organizations to ensure that certain PCI data is only accessible and readable to those with certain access rights, security clearances, or passwords.

Another major consideration for big organisations is the fact you do not need to tell your subscribers about a breach if you can demonstrate that the data was encrypted or made unintelligible by a similar security measure

Is there a smart way to encrypt my data?

Yes. The Neocol SmarterDLP solution provides powerful encryption capabilities to help you safeguard your structured and unstructured data to comply with industry and regulatory requirements. Furthermore, the software implements encryption and decryption operations with minimal performance and business impact requiring no changes to your databases, applications or networks.

In conclusion

No business is safe from the risk of unstructured data theft. Every day, employees import and share data in all formats, from documents to spreadsheets, video to email. Content is shared internally and with vendors, customers, partners and more.  It’s easy to lose track of this rapidly changing and moving data type, but with SmarterDLP organizations can now easily Tokenize, Redact, or encrypt their PCI data. This flexible and all-encompassing solution allows organizations and their security teams the ability to rest easy, safe in the knowledge that they have full visibility of where all their PCI data is at all times, and that it is 100% secure no matter the file size, document type or storage device.

The Neocol SmarterDLP offers:

• Protection of important content both within and once it leaves your firewall
• The ability to change or revoke permissions, regardless of where the content is now
• Easily search, find and protect sensitive, unstructured data across the business.
• Automatically apply customizable content classification.
• Catch compliance violations and reduce risk to your organization.

To register for a free risk assessment or to find out more about the Neocol SmarterDLP solution, simply click the link below, or why not give one of our friendly security experts a call today – ‘Contact us.'