Despite plenty of PCI DSS training, I'm concerned some of our customer service agents may email credit card numbers....
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
I'd like to put a system in place on the email server level that prevents email messages containing card data from going out. Can you tell me what kind of technologies or tools are effective in this kind of situation?
Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
The first step you should take is immediate remedial PCI DSS training and awareness. You must establish within your customer service organization that it is simply unacceptable to send or receive cardholder data via unencrypted email, and that individuals who do so will be dealt with severely. While it is possible to implement technical measures to combat this type of activity, creative minds will always find a way around security controls, and you should be comfortable knowing the controls are there merely as a backup to a culture of credit card security.
From a technical perspective, you may wish to consider deploying data loss prevention (DLP) technology either on your mail server or on your network to scan for messages that potentially contain unencrypted cardholder data. The unique structure of credit card numbers, which include an algorithmically recognizable checksum digit, makes them easy targets for signature-based DLP. These DLP systems can scan messages to identify those that contain credit card numbers and then take appropriate action, either blocking/quarantining the message, or automatically encrypting it and redirecting the recipient to a secure email portal. There are a wide variety of products on the market today that provide this capability, including RSA Data Loss Prevention, Cisco IronPort Data Loss Prevention and Proofpoint Enterprise Privacy. These products are widely used by Payment Card Industry Data Security Standard (PCI DSS) merchants to scan for the presence of unprotected cardholder data.
Dig Deeper on PCI Data Security Standard
Related Q&A from Mike Chapple
The OWASP Top Ten list is not a compliance standard but a set of best practices for enterprises looking to boost Web app security. Here's how to get ...continue reading
A data breach notification policy is important to have, but deciding how to alert customers can be tough. Expert Mike Chapple explains some best ...continue reading
Tokenization technology can be confusing. Expert Mike Chapple explains what the difference is between two types of tokens and how tokenization can ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.