PCI DSS is a set of twelve regulatory requirements—including security management, encryption, storage procedures and access policies—for safeguarding the personal information of customers who use credit cards. If your company handles credit card transactions, you must comply with these requirements.
Cardholder data is relatively easy to protect when it is stored in databases where it can be easily identified. But only about 20% of a company’s data exists in this structured form. The other 80% exists as unstructured data that is scattered across the organization.
When cardholder data finds its way into these documents, it can be difficult to identify and protect it. Worse yet, cardholder data in this form can be easily shared, copied and emailed. It can wind up in new files with different names and formats. It can be stored anywhere and everywhere. And it can end up stored in places where access permission policies aren’t always accurately or consistently applied. All of this makes it extremely difficult to ensure that PCI requirements are correctly and consistently applied to cardholder information within unstructured data.
Techniques such as pattern matching tools may be capable of finding credit card numbers within unstructured data—but they are, by themselves, insufficient for protecting all cardholder data that is subject to PCI regulations. To fully comply with PCI requirements, you must be able to fully understand how these documents are used, who has access to them, where they are stored. Only then can you create and apply the policies and business practices needed to effectively protect cardholder information.
So how can you identify all documents that contain confidential cardholder data and see how those documents are being used? How can you define and automate policies that rigorously protect these documents—wherever they happen to be? And how can you document this PCI compliance to internal and external auditors?
Learn more about how NogaLogic can help you comply with PCI DSS >>>