Answer

PCI DSS compliance: What to do when agents email credit card numbers

Despite plenty of PCI DSS training, I'm concerned some of our customer service agents may email credit card numbers. I'd like to put a system in place on the email server level that prevents email messages containing card data from going out. Can you tell me what kind of technologies or tools are effective in this kind of situation?

    Requires Free Membership to View

Ask the Expert!

Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)

The first step you should take is immediate remedial PCI DSS training and awareness. You must establish within your customer service organization that it is simply unacceptable to send or receive cardholder data via unencrypted email, and that individuals who do so will be dealt with severely. While it is possible to implement technical measures to combat this type of activity, creative minds will always find a way around security controls, and you should be comfortable knowing the controls are there merely as a backup to a culture of credit card security.

From a technical perspective, you may wish to consider deploying data loss prevention (DLP) technology either on your mail server or on your network to scan for messages that potentially contain unencrypted cardholder data. The unique structure of credit card numbers, which include an algorithmically recognizable checksum digit, makes them easy targets for signature-based DLP. These DLP systems can scan messages to identify those that contain credit card numbers and then take appropriate action, either blocking/quarantining the message, or automatically encrypting it and redirecting the recipient to a secure email portal. There are a wide variety of products on the market today that provide this capability, including RSA Data Loss Prevention, Cisco IronPort Data Loss Prevention and Proofpoint Enterprise Privacy. These products are widely used by Payment Card Industry Data Security Standard (PCI DSS) merchants to scan for the presence of unprotected cardholder data.

This was first published in May 2013

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: