Why Data Discovery is Essential for PCI DSS Compliance

PCI DSS Compliance and Its Data Security Requirements

While most data privacy protection laws provide coverage for a broad range of personal data attributes, the PCI DSS governs only payment card processing-related attributes, mandating them to ensure the security of stored sensitive data resulting from payment card transactions.

12 PCI Data Security Requirements

PCI DSS mandates all sellers or payment card processing services ensure the safe and secure collection, transmission, and processing of cardholders’ data. PCI DSS has laid down 12 requirements, which are grouped under 6 goals. Every payment card processing service must comply with the defined security requirements:

Build and Maintain a Secure Network

  • Payment card processing services and merchants are required to ensure strict security measures by setting up firewalls. Firewalls are the first line of defense against unauthorized incoming and outgoing traffic on a network. By setting up rules and policies, firewall configuration can be hardened for improved data security.
  • PCI DSS further mandates that default security configurations shouldn’t be left unattended and should be modified on existing and new systems. The regulatory authority further requires merchants and service providers to maintain a record of all systems and configurations.

Protect Cardholder Data

  • Merchants and sellers are required to ensure optimal protection of cardholders’ data. This can be achieved by locating where the data resides and determining whether it needs to be truncated, encrypted, hashed, or erased altogether.
  • Apart from ensuring the protection of data at rest, it is integral that merchants and service providers should encrypt the data when it is in transit. Whenever a cardholder’s data moves across any public or open networks, it needs to be encrypted via encryption standards, such as SSH and TLS, to name a few.

Maintain a Vulnerability Management Program

  • All systems, both on-premises and remote, need to have an antivirus or an anti-malware application installed. These applications further need to be kept up to date with the latest virus definition so the systems and the residing data of cardholders stay protected against known and new virus threats.
  • Merchants and service providers need to develop and maintain a security system that regularly scans and protects against security vulnerabilities. It is critical that all systems, such as POS terminals, computers, or routers, have the latest security patches installed.

Implement Strong Access Control Measures

  • A strict access control system should be maintained to ensure that the cardholders’ data is accessible to users on a need-to-know basis. Access control allows system administrators to reduce the chances of unauthorized access to cardholders’ sensitive information. This further requires the concerned entities to maintain a record of each person, their role, and access privileges.
  • The same requirement further mandates that the system administrators must assign unique IDs and passwords to users with access to sensitive information. This allows administrators to maintain a strict record of all activities and trace any abnormality or security breach.
  • PCI DSS requires merchants and service providers to restrict users’ physical access to sensitive data. This can be done by ensuring physical access control practices, such as keeping logs, using CCTV surveillance, etc.

Regularly Monitor and Test Networks

  • This PCI DSS data security requirement warrants strict service providers and merchants to have an audit policy and to maintain system logs. This will allow the information security teams to effectively monitor the logs for any suspicious activities.
  • The requirement further requires frequent monitoring of systems and tests for security vulnerabilities and exploits.

Maintain an Information Security Policy

  • The final requirement mandates that the merchants and service providers must establish and implement security policies for every employee, vendor, and contractor. This calls for background checks on personnel, regular risk assessments, etc.

The Need of Effective Data Discovery for PCI DSS Compliance

PCI DSS regulations require that the sensitive data of a cardholder which is collected, stored, and processed by the organization during and after a transaction, must be protected at all times. In order for organizations to comply with PCI DSS regulations, they must meet the established data security requirements, as discussed above.

  • Security posture/assessment
  • Encryption or alternate security implementation
  • Vulnerability assessment

Important Data Discovery Considerations for PCI Compliance

Before starting the PCI DSS card data discovery process, it is vital to define the scope of cardholder data (CHD) discovery and classification. Seller and service providers can attempt to define an accurate scope by taking into account the following important considerations:

  • Apart from taking an organization-wide scan, the discovery process should cover all the devices, platforms, and operating systems where the data may exist. Ruling out any device or platform may result in exposure to security risks.
  • Another important factor to consider is the file type and format. A cardholder’s data could exist in any format or type. The data discovery process should be able to recognize and classify every type of format so that no data remains undetected, and thus, exposed.
  • A cardholder’s sensitive data can exist anywhere in structured and unstructured systems. It is because of that, there’s a high chance that the discovery tool may result in False Positives. The false-positive refers to the data that incorrectly matches with the data that the tool is searching for.
  • If a cardholder’s data is breached, the organization might have to provide notification to the cardholder as per applicable data breach notification laws and might even have to offer risk mitigation services (ID theft insurance, etc.). Thus the data discovery tool should be able to link cardholder’s data back to the cardholder’s identity, using auto PI linking and sensitive data intelligence, to ease reporting requirements.

Securiti Data Discovery Finds Personal and Sensitive Data Across SaaS, Hybrid, and Multi-Cloud

Securiti offers an AI-powered robotic data discovery tool, built to scan data in structured and unstructured systems across an organization’s dynamic environment. Along with sensitive data intelligence and Personal Information auto-linking, Securiti’s data discovery tool discovers Personal Information within structured or unstructured databases, identifies the type of data, appends its security, and privacy metadata, scores it according to the risk it poses, and auto-links it to the data subject’s ID. Thus, with our Data Discovery tool, organizations can:

  • Use native connectors to integrate with data assets for efficient cardholder data discovery.
  • Remove false positives using contextual inference that assesses detections.
  • Label predefined attributes to discovered cardholder data.
  • Identify authentication and non-authentication data attributes for PCI regulatory compliance.
  • Link card data to relevant cardholders for compliance with breach notification, consent management, and other applicable data privacy obligations.
  • Assess the security posture of the assessed cardholder data to recommend security measures.
  • Govern access control to cardholders’ data from a single dashboard.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store