PCI DSS compliance: What to do when agents email credit card numbers
Despite plenty of PCI DSS training, I'm concerned some of our customer service agents may email credit card numbers. I'd like to put a system in place on the email server level that prevents email messages containing card data from going out. Can you tell me what kind of technologies or tools are effective in this kind of situation?
Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
The first step you should take is immediate remedial PCI DSS training and awareness. You must establish within your customer service organization that it is simply unacceptable to send or receive cardholder data via unencrypted email, and that individuals who do so will be dealt with severely. While it is possible to implement technical measures to combat this type of activity, creative minds will always find a way around security controls, and you should be comfortable knowing the controls are there merely as a backup to a culture of credit card security.
From a technical perspective, you may wish to consider deploying data loss prevention (DLP) technology either on your mail server or on your network to scan for messages that potentially contain unencrypted cardholder data. The unique structure of credit card numbers, which include an algorithmically recognizable checksum digit, makes them easy targets for signature-based DLP. These DLP systems can scan messages to identify those that contain credit card numbers and then take appropriate action, either blocking/quarantining the message, or automatically encrypting it and redirecting the recipient to a secure email portal. There are a wide variety of products on the market today that provide this capability, including RSA Data Loss Prevention, Cisco IronPort Data Loss Prevention and Proofpoint Enterprise Privacy. These products are widely used by Payment Card Industry Data Security Standard (PCI DSS) merchants to scan for the presence of unprotected cardholder data.
03 May 2013