Despite plenty of PCI DSS training, I'm concerned some of our customer service agents may email credit card numbers....
I'd like to put a system in place on the email server level that prevents email messages containing card data from going out. Can you tell me what kind of technologies or tools are effective in this kind of situation?
Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
The first step you should take is immediate remedial PCI DSS training and awareness. You must establish within your customer service organization that it is simply unacceptable to send or receive cardholder data via unencrypted email, and that individuals who do so will be dealt with severely. While it is possible to implement technical measures to combat this type of activity, creative minds will always find a way around security controls, and you should be comfortable knowing the controls are there merely as a backup to a culture of credit card security.
From a technical perspective, you may wish to consider deploying data loss prevention (DLP) technology either on your mail server or on your network to scan for messages that potentially contain unencrypted cardholder data. The unique structure of credit card numbers, which include an algorithmically recognizable checksum digit, makes them easy targets for signature-based DLP. These DLP systems can scan messages to identify those that contain credit card numbers and then take appropriate action, either blocking/quarantining the message, or automatically encrypting it and redirecting the recipient to a secure email portal. There are a wide variety of products on the market today that provide this capability, including RSA Data Loss Prevention, Cisco IronPort Data Loss Prevention and Proofpoint Enterprise Privacy. These products are widely used by Payment Card Industry Data Security Standard (PCI DSS) merchants to scan for the presence of unprotected cardholder data.
Related Q&A from Mike Chapple
The updated HITRUST Common Security Framework allows organizations to manage privacy, security and compliance with one framework. Here's how it works...continue reading
A HIPAA audit covers privacy compliance, and organizations need to be prepared. Expert Mike Chapple discusses privacy in the audits.continue reading
A data breach warranty may seem like a tempting way to survive a costly attack, but it may not be all it's hyped up to be. Expert Mike Chapple ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.