to PCI Can Be
What is PCI
fail to meet
What is PCI
Payment Card Industry = PCI
(Visa, Mastercard, Discover, etc.)
Data security standard = DSS
adherence to the PCI DSS, which is
created and revised by the PCI Data
The Data Security Council was created
by the PCI but acts independently of the
Adherence is monitored by Qualified
Security Assessors for larger payment card
SIX control objectives 12 requirements
control objectives1. Build and maintain a secure network
2. Protect cardholder data
3. Maintain a vulnerability management program
4. Implement strong access control measures
5. Regularly monitor and test networks
6. Maintain an information security policy
Restrict access to cardholder
data on a business need to
of PCI compliance
to Google Apps
Aids document creation and
Improved communication and
organizations fail to meet and
how Google Apps can help
Google Apps was not specifically designed
to handle credit card transactions, but built-in
features of Google Apps can be used to make
compliance easier for sensitive data stored or
transmitted by a company.
HERE ARE THREE IMPORTANT AREAS . . .
Google Drive data needs careful management
Data is not automatically purged
Third party software can enable automated management
Google Vault enables controls over access and retention of
emails and stored chats.
Google Admin allows control over sending of credit card data
and can prevent sending of sensitive data and attachments
Protect cardholder data
Data need protection during both
storage and transmission.
Implement strong access
Admin can define access to specific users
and groups on an app or file basis.
STANDARD PRACTICE REQUIRES
Limiting access to business need only
Cutting off access immediately for terminated employees
Ensuring sufficient complexity of passwords
Ensuring employee awareness of requirements
Track and Monitor Access
to Cardholder Data
Admin audit console log allows monitoring of all
admin actions by company.
Regular scans of all data within Google Apps for
sensitive data (e.g., credit card numbers).
Review of transmission of sensitive data within the
network to identify security lapses or risks.