Despite plenty of PCI DSS training, I'm concerned some of our customer service agents may email credit card numbers....
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
I'd like to put a system in place on the email server level that prevents email messages containing card data from going out. Can you tell me what kind of technologies or tools are effective in this kind of situation?
Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
The first step you should take is immediate remedial PCI DSS training and awareness. You must establish within your customer service organization that it is simply unacceptable to send or receive cardholder data via unencrypted email, and that individuals who do so will be dealt with severely. While it is possible to implement technical measures to combat this type of activity, creative minds will always find a way around security controls, and you should be comfortable knowing the controls are there merely as a backup to a culture of credit card security.
From a technical perspective, you may wish to consider deploying data loss prevention (DLP) technology either on your mail server or on your network to scan for messages that potentially contain unencrypted cardholder data. The unique structure of credit card numbers, which include an algorithmically recognizable checksum digit, makes them easy targets for signature-based DLP. These DLP systems can scan messages to identify those that contain credit card numbers and then take appropriate action, either blocking/quarantining the message, or automatically encrypting it and redirecting the recipient to a secure email portal. There are a wide variety of products on the market today that provide this capability, including RSA Data Loss Prevention, Cisco IronPort Data Loss Prevention and Proofpoint Enterprise Privacy. These products are widely used by Payment Card Industry Data Security Standard (PCI DSS) merchants to scan for the presence of unprotected cardholder data.
Dig Deeper on PCI Data Security Standard
Related Q&A from Mike Chapple
Are nonprofit organizations, like higher education institutions, subject to FTC cybersecurity regulations and oversight? Expert Mike Chapple explains.continue reading
It's important for healthcare organizations to have a clear social media policy. Expert Mike Chapple explains what needs to be in the policy to stay ...continue reading
SOC 2 evaluations can be helpful tools for organizations assessing their HIPAA compliance, but companies should not solely rely on them. Compliance ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.