To properly address your PCI data security concerns and ensure compliance, you need a comprehensive, end-to-end strategy for your data. That strategy must be aligned with highly specific requirements. And, because not all services offer true solutions, you must be sure to select the one that has these capabilities:
1. Protects Stored PCI Data
Regarding stored data, PCI DSS requires three things. First, you must restrict key access. You need a platform that will enable you to protect information within your infrastructure whether your model has all of your data in the cloud or split between your in-house servers and the cloud. At all times, you’ll need to be aware of where the security key is, who has access to it, and under what circumstances will access be allowed.
Second, you must deploy an improved key management process. Your platform has to be able to give you control over how the security key is handled. Data is not secure if one person has both key and database access. Once that person or their credentials are compromised, all of your data is at risk. Hardening this aspect of security means making sure that knowledge is split among at least two people.
Third, you must clarify the intent of “unrecoverable data.” After data has been deleted, it’s crucial that it is digitally shredded so that it can’t be recovered and used by anyone inside or outside of your organization. Ideally, you will be able to administer these three security components from one data security manager portal.
2. Restricts Access to Cardholder Data
PCI DSS also requires that your organization has the appropriate sub-controls to cover access needs for each user role, as well as additional focus restrictions of privileged users to the least privileges necessary. Simply put, you need a platform that restricts access to cardholder data on a need-to-know basis.
Regardless of their function within your organization, not everyone needs to have access to cardholder data. That means your platform must have the ability to limit each individual’s access based on an identifiable and justifiable business need.
3. Enables Comprehensive Security Intelligence
Additionally, PCI DSS establishes essential security intelligence requirements relating to tracking and monitoring of all access to network resources and cardholder data.
Verizon’s 2013 Data Breach Investigations Report found that 66% of breaches took months, or even years, to discover. The report also found that 69% of breaches were spotted by an external party while 9% were spotted by customers. The best way to prevent breaches, or find them quickly is to have a platform in place that enables comprehensive security intelligence.
An effective security solution must be able to monitor, log, and report audit data access in a way that:
• Alerts you to abnormal access patterns so you can act quickly to determine the cause and remediate it
• Identifies compromised users, administrators, and applications so you can block access and protect cardholder data
• Blocks administration-impersonating accounts to prevent someone from circumventing established sub-controls
• Prevents pausing and stopping of audit logs that signal unauthorized access to cardholder data
• Accelerates malicious insider recognition so you can prevent breaches before they become a problem
• Enables compliance and contractually mandated reporting with a greater level of insight
Concerned about safeguarding your PHI? The HOSTING compliance team stands ready to help. Contact us anytime with your questions and concerns. And download our white paper, Safeguarding PCI Data in the Cloud for more information.