How To Secure Your Structured PCI Data
With data leaks and breaches becoming ever more widespread, knowing where all of your structured PCI data is, and then protecting it could not be of more paramount importance in today’s fast-paced world of big data. In this post, I wanted to look to help organizations better understand the measures they can take towards effectively protecting structured data. With our Smarter Data Loss prevention (SmarterDLP) modular solution organizations now have a way of fighting back and more efficiently securing their data, in a simple 3 step fashion:
1. Discover the structured PCI data
As part of PCI legislation, companies must know and have the ability to locate the whereabouts of their PCI data. As part of the SmarterDLP solution for structured data, organizations have the potential to search all databases, for rows that contain PCI data. The solution once implemented and used to discover data, returns the user a holistic view of where data is located within their systems, enabling them to take the next actionable step….
Classifying - PCI Data classification is the process of sorting and categorising data into various types, forms or access level requirements. The SmarterDLP solution enables organizations to locate, separate, order and classify their PCI data according to their specific needs.
2. Securing access to PCI data
Securing Access allows organizations to create rules for their systems which restricts data access, based upon a user’s Business ‘Need-to-Know,' which if needed can be set to “deny all” unless explicitly allowed. The solution also has the functionality to mask/tokenize PCI data when a database query returns over a set quantity of results. When the masking/tokenization tool is active, privileged users i.e. DBA’s are still able to perform the tasks they need on databases, and data from a SQL query will be returned as usual, However, the sensitive PCI data would be masked.
A further step that can be taken to ensure the security of the structured PCI data is by terminating specific database queries. The rules can be constructed on individually configured instructions (i.e. if a query returns more than ten records containing PCI then terminate the query, or terminate query if the data is searched for under a suspicious SQL Query).
3. Ongoing Monitoring of PCI Data
The SmarterDLP In-Motion module is all about being able to report on database access to PCI data. It gives the user the ability to quickly create granular or holistic (CSV and PDF format) reports and graphs, regarding the access to and usage of the organizations structured PCI data. The In-motion reporting tool gives organizations the ability to record and report on the dates, times, duration, user info, and even the specific SQL Query term used to access data. If the software detects suspicious
If the software detects suspicious behaviour, it has the added ability to send live alert messages, notifying the organization’s CISO to the accessing of the PCI data or if searched for via suspicious SQL Queries.
But do I really need to secure my structured PCI data?
The short and straightforward answer to this - Yes! And here’s why:
- Between $160 billion and $480 billion is lost annually due to data theft/leakage, and Over 85% of the time, the alleged thief is someone the organization know or employs.
- The number of cases involving the theft or leakage of PCI details from databases, CRM systems, and web applications is constantly on the rise. Most often, sensitive PCI data gets sold on the black market for criminal transactions. US Federal officials were recently quoted as saying that over 500 million financial records in the United States had been stolen between 2013-2014 alone.
- 2014 and 2015 are unfortunately now referred to by many as ‘The Years of The Data Breach’ with the first half of 2014 alone showing a 21% rise in data security breaches YoY, and this figure isn’t slowing down. Such is the scale of daily PCI data breaches and insider PCI data theft, the pressure on organizations to keep PCI data safe is at an all-time high. The PCI compliance standards aim to prevent financial information and identity theft from its source by ensuring the systems which process and store customer details, as well as transaction information, are secure. Technological flaws in networks and database security will continue, which is why the PCI compliance standard is an ongoing process which must be adhered to, to protect business operations adequately against future attempts of insider theft or hacks and data leaks.
In Summary -
As Joseph Demarest (Assistant Director of the FBI's Cyber Division) said: “Have a plan.”
The Neocol SmarterDLP solution offers organizations just that, giving them the best possible basis and core from which to formulate and build a legislatively compliant DLP plan for the Discovery, Classification, Security, and ongoing Monitoring of their structured and unstructured PCI data.
To find out more about the Neocol SmarterDLP solution, you can register for a FREE Risk Assessment today by clicking the link below or why not give one of our security experts a call today by clicking here –‘Contact us.'
