PCI DSS 2.0 Data Loss Prevention for PCI Compliance

What is PCI?

In an effort to standardize data security measures on a global basis an organization known as the Payment Card Industry (PCI) was developed. American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International were all members of the PCI organization. Together they outlined the Payment Card Industry Data Security Standard (PCI DSS), a list of requirements designed to enhance payment account data security. These requirements mandate that organizations maintain and build the following: a secure network, cardholder data protection, a vulnerability management program, an information security policy, regularly monitored and tested networks, and the implementation of strong access control measures. This comprehensive standard is intended to help organizations proactively protect customer account data.

PCI DSS 2.0

defines the scope of assessment for PCI to include all location and flows of cardholder data.

One of the major changes in PCI DSS 2.0 is that responsibility for determining and documenting the scope for PCI DSS has shifted from the Qualified Security Assessor (QSA) to the entity (merchant, service provider, acquirer, and issuer).

The resulting scope may include the entity’s and third-party’s system components, as well as those that may not store, process or transmit cardholder data but could impact the security of the cardholder data environment

At least annually and prior to the annual assessment, the assessed entity should confirm the accuracy of their PCI DSS scope by identifying all locations and flows of cardholder data and ensuring they are included in the PCI DSS scope.

These compliance requirements will actually provide security benefits by reducing risks and costs. Organizations will now have a better understanding of where cardholder data exists and how it is flowing through the network, an organization can not only reduce the scope of their PCI compliance attempts, but may possibly meet the requirements for safe harbor under state data breach notification laws.

Basic rules on PCI compliance:

PCI compliance includes merchants and service providers who accept, capture, store, transmit or process credit and debit card data.
As of September 2006, PCI 1.1 includes 12 major requirements. A single violation of any of the requirements can trigger an overall non-compliant status.
Each non-compliant incident will result in steep fines, suspension and revocation of card processing privileges.

Not all DLP solutions are the same

GTB Technologies' PCI compliance Data Loss Prevention Solution - Accuracy on all ports and protocols:

New programs requiring the use of unconventional protocols are becoming increasingly more prevalent. Furthermore, despite company policies forbidding the practice, employees frequently utilize peer to peer applications. Microsoft Networks and similar protocols, initially designed for LAN, are perfectly capable of working over the Internet. Finally, malicious applications (e.g., viruses and worms) can be utilized to transfer data across a broad variety of protocols. So supporting just SMTP, HTTP, FTP and IM is a real limitation and is NOT DLP.

GTB's rule manager contains a pre-defined PCI compliance rule, which defines PCI secure data as anything containing Personal Account Number (PAN) and a name or address
Personal Account Numbers (PAN) stored within the network and endpoint devices are discovered, exposed and protected
All outbound traffic across all network protocols is monitored for secure PCI data, with nearly 100% detection ratio and zero false positives on fingerprinted data.
PCI Data is prevented from being saved on removable media devices, such as: USB, CD/DVD or iPods
Encrypt data prior to transmission
GTB provides detailed PCI reports and role-based options that support auditing requirements

Should Your Organization be concerned about PCI Compliance?

All organizations, merchants and third party service providers who store, process and/or transmit credit/debit card data are subject to the Payment Card Industry Data Security Standard. As of January 2008, PCI compliance is a requirement and organizations that are non-compliant are subject to large fines and risk losing their ability to process credit card transactions until PCI compliance is achieved.

call us at 800.507.9926

PCI DSS 2.0 COMPLIANCE

PCI DSS 2.0 COMPLIANCE

Resources

Company

Products

Partner

Follow Us