SlideShare a Scribd company logo

6 Amazing Key Elements To Consider The PCI DSS Card Data Discovery Process

VISTA InfoSec
VISTA InfoSec

Over the past few years, the industry has witnessed several incidents of high profile data breaches. Incidents like these serve as a reminder for businesses to prioritize data security and strengthen their business environment. Addressing the concern of data security, the Payment Card Industry Security Standard Council (PCI SSC) issued guidelines under Payment Card Industry Data Security Standard (PCI DSS) for securely processing, storing, transmitting payment card data. As per the PCI DSS Standard requirement, organizations in question need to determine the scope of their PCI DSS assessment accurately and secure card data. Determining the scope essentially involves discovering of unencrypted card data and securing the source to prevent breach/data theft. It is interesting to note that most of the incidents of data breach/theft in the industry today is due to the lack of securing data stored in undiscovered locations. This potentially exposes most organizations to the high-level risk of a data breach. It is therefore essential for organizations to conduct a thorough assessment of Data Card Discovery, to identify and if required securely delete cardholder data that is no longer required or has exceeded the retention period. In this article today, we have outlined key elements to consider while conducting the PCI DSS Card Data Discovery Assessment. Consideration of these elements will ensure accurate scoping and data discovery across the environment. However, before proceeding towards learning about the key elements, let us first understand the term Card Data Discovery (CDD). This will facilitate better learning and understanding of the Card Data Discovery process

Technology
1 of 3
Download to read offline
KEY ELEMENTS TO CONSIDER THE PCI DSS CARD DATA DISCOVERY PROCESS Over the past few years, the industry has witnessed several incidents of high profile data breaches. Incidents like these serve as a reminder for businesses to prioritize data security and strengthen their business environment. Addressing the concern of data security, the Payment Card Industry Security Standard Council (PCI SSC) issued guidelines under Payment Card Industry Data Security Standard (PCI DSS) for securely processing, storing, transmitting payment card data. As per the PCI DSS Standard requirement, organizations in question need to determine the scope of their PCI DSS assessment accurately and secure card data. Determining the scope essentially involves discovering of unencrypted card data and securing the source to prevent breach/data theft. It is interesting to note that most of the incidents of data breach/theft in the industry today is due to the lack of securing data stored in undiscovered locations. This potentially exposes most organizations to the high-level risk of a data breach. It is therefore essential for organizations to conduct a thorough assessment of Data Card Discovery, to identify and if required securely delete cardholder data that is no longer required or has exceeded the retention period. In this article today, we have outlined key elements to consider while conducting the PCI DSS Card Data Discovery Assessment. Consideration of these elements will ensure accurate scoping and data discovery across the environment. However, before proceeding towards learning about the key elements, let us first understand the term Card Data Discovery (CDD). This will facilitate better learning and understanding of the Card Data Discovery process. What is Card Data Discovery in PCI DSS? Card Data discovery is a systematic process of scanning, identifying, and analyzing sensitive cardholder data that are confidential, proprietary, and personally identifiable information. The card data typically includes primary account number (PAN), Service Code, Magnetic Stripe Data, Sensitive Authentication Data (SAD), Card Verification Code (CVV), and Personal Identification Number (PIN). So, once the Data and Cardholder Data Environment is discovered, the effectiveness of relevant control systems that support the confidentiality, integrity, and availability of that data are analyzed. The data which may be stored in the file systems shared drives, databases, and removable media (CDE) is then accordingly secured or deleted based on the requirement of its necessity/retention period. Key elements to consider the PCI-DSS Card Data Discovery process The process of Card Data Discovery should initially involve reviewing the existing network, data flow diagrams, and Card Holder Data (CHD) locations. Moreover, a thorough investigation involving interviews with the stakeholders involved in the storage, processing, and transmission of cardholder data must be conducted. On completion, we either identify the current scope to be accurate or, define the scope way too less than it is to be. To accurately define the scope the Card Data Discovery Analyzer must consider the following factors.
Scan the entire organizational network– The main purpose of conducting a card data discovery scan is to identify both known and unknown areas, where the card data is stored. In all our years of assessing and consulting for PCI DSS, we have seen n number of organizations scanning only the Card Data Environment (CDE) for Card Data… this is quite silly if you think about it. A CHD scan is required to confirm where in the organization the CHD is stored; if you are scanning you’re your PCI Scope systems, then is this a confirmation in any manner that Card Data is not residing anywhere else in your network?? Therefore, it is essential that the Scanner takes into consideration the entire organization’s network in the scope of card discovery. So, this process will prevent ruling out any area of scope that may possibly have the data stored in it unknowingly. Most often data are discovered in the least expected areas that are left out of scope and are then exposed to a security breach. Scan across platforms- The data could typically be stored anywhere, on any platforms, systems, and network. It is therefore essential for scanners to take into consideration all platforms including network, Cloud, mail servers, operating systems, database platforms, and file systems when scanning for Card Data Discovery. Ruling out any of the systems, networks, platforms, or any such similar location will end up remaining out of scope and possibly expose the sensitive data to breach/theft. Scan different file formats- Sensitive Data could possibly be stored in any format (PDF, temp files, XML, PSD, TIFF, DOC, DOCX, RAM dumps) and file types ( Encoded files, flat files, compressed files, database files, email files, audio files, databases of all variants including flat files and even image files to name a few). So, as a part of best practice, the card discovery process should involve scanning of all data storage formats and files thoroughly. Excluding any type could be a huge risk for organizations looking to secure sensitive data. Scan systems and applications- Last but not the least, remember not to miss out scanning systems like hard drives, pen drives, smartphones, tablets, laptops, desktops, and other computing devices systems and endpoints in a Card Data Discovery Assessment process. It is very easy to miss out on the most obvious storage or location point when scanning a large organization for unencrypted card data. False Positives- Be wary of false positives in the Card Data Discovery process. This is currently one of the major challenges faced in the Data Discovery process. False positives could ruin the card Data Discovery exercise and completely hamper the efforts of securing data and efforts of compliance. Accuracy in data discovery is absolutely critical for it helps classify sensitive data in an organization and secures it from exposure.
© VISTA InfoSec ® © VISTA InfoSec ®© VISTA InfoSec ® Data Discovery tools- Many organizations we see use tools that only scan txt and email but not databases… this in unacceptable. Organizations must use a comprehensive software tool that typically scans every file, format, storage, operating systems, networks, and platforms across the organization. Scanning and running through every location and looking for unencrypted card data is absolutely essential and vital in protecting customer payment data. Investing in the best tool for scanning and skimming data for card data discovery can greatly benefit the business and prevent them from ramification of the a data breach. Conclusion Organizations should carefully scan their environment to prevent ruling out any possible unencrypted data that may lead to a breach. Use the right scanning tool and adopt all necessary manual process in scanning systems, and networks of your organization. Take into consideration the above mentioned key elements and factors when processing card data discovery and your organization is sure to achieve success in accurately scoping and card data discovery. Should u need any support or clarifications in defining the scope of your Card Data Environment, do drop us a line at ask us [@]vistainfosec.com facebook.com/vistainfosec/ in.linkedin.com/company/vistainfosec twitter.com/VISTAINFOSEC Do write to us your feedback, comments and queries or, if you have any requirements: info@vistainfosec.com You can reach us on: USA +1-415-513 5261 INDIA +91 73045 57744 SINGAPORE +65-3129-0397

Recommended

6 ways reduce pci dss audit scope tokenizing cardholder data
6 ways reduce pci dss audit scope tokenizing cardholder data6 ways reduce pci dss audit scope tokenizing cardholder data
6 ways reduce pci dss audit scope tokenizing cardholder data
Richard Thompson
 
PCI Article C24
PCI Article C24PCI Article C24
PCI Article C24
David Ricketts
 
PCI Descoping: How to Reduce Controls and Streamline Compliance
PCI Descoping: How to Reduce Controls and Streamline CompliancePCI Descoping: How to Reduce Controls and Streamline Compliance
PCI Descoping: How to Reduce Controls and Streamline Compliance
TokenEx
 
PCI Scope Reduction Using Tokenization for Security Assessors (QSA, ISA)
PCI Scope Reduction Using Tokenization for Security Assessors (QSA, ISA)PCI Scope Reduction Using Tokenization for Security Assessors (QSA, ISA)
PCI Scope Reduction Using Tokenization for Security Assessors (QSA, ISA)
TokenEx
 
Best Practices for PCI Scope Reduction - TokenEx & Kyte
Best Practices for PCI Scope Reduction - TokenEx & KyteBest Practices for PCI Scope Reduction - TokenEx & Kyte
Best Practices for PCI Scope Reduction - TokenEx & Kyte
TokenEx
 
Understanding Dark Data
Understanding Dark DataUnderstanding Dark Data
Understanding Dark Data
Ahmed Banafa
 
Data centric security key to cloud and digital business
Data centric security key to cloud and digital businessData centric security key to cloud and digital business
Data centric security key to cloud and digital business
Ulf Mattsson
 
Continuous PCI and GDPR Compliance With Data-Centric Security
Continuous PCI and GDPR Compliance With Data-Centric SecurityContinuous PCI and GDPR Compliance With Data-Centric Security
Continuous PCI and GDPR Compliance With Data-Centric Security
TokenEx
 

Recommended

6 ways reduce pci dss audit scope tokenizing cardholder data
6 ways reduce pci dss audit scope tokenizing cardholder data6 ways reduce pci dss audit scope tokenizing cardholder data
6 ways reduce pci dss audit scope tokenizing cardholder data
Richard Thompson
 
PCI Article C24
PCI Article C24PCI Article C24
PCI Article C24
David Ricketts
 
PCI Descoping: How to Reduce Controls and Streamline Compliance
PCI Descoping: How to Reduce Controls and Streamline CompliancePCI Descoping: How to Reduce Controls and Streamline Compliance
PCI Descoping: How to Reduce Controls and Streamline Compliance
TokenEx
 
PCI Scope Reduction Using Tokenization for Security Assessors (QSA, ISA)
PCI Scope Reduction Using Tokenization for Security Assessors (QSA, ISA)PCI Scope Reduction Using Tokenization for Security Assessors (QSA, ISA)
PCI Scope Reduction Using Tokenization for Security Assessors (QSA, ISA)
TokenEx
 
Best Practices for PCI Scope Reduction - TokenEx & Kyte
Best Practices for PCI Scope Reduction - TokenEx & KyteBest Practices for PCI Scope Reduction - TokenEx & Kyte
Best Practices for PCI Scope Reduction - TokenEx & Kyte
TokenEx
 
Understanding Dark Data
Understanding Dark DataUnderstanding Dark Data
Understanding Dark Data
Ahmed Banafa
 
Data centric security key to cloud and digital business
Data centric security key to cloud and digital businessData centric security key to cloud and digital business
Data centric security key to cloud and digital business
Ulf Mattsson
 
Continuous PCI and GDPR Compliance With Data-Centric Security
Continuous PCI and GDPR Compliance With Data-Centric SecurityContinuous PCI and GDPR Compliance With Data-Centric Security
Continuous PCI and GDPR Compliance With Data-Centric Security
TokenEx
 
PCIDSS compliance made easier through a collaboration between NC State and UN...
PCIDSS compliance made easier through a collaboration between NC State and UN...PCIDSS compliance made easier through a collaboration between NC State and UN...
PCIDSS compliance made easier through a collaboration between NC State and UN...
John Baines
 
Dark Data Discovery & Governance with File Analysis
Dark Data Discovery & Governance with File AnalysisDark Data Discovery & Governance with File Analysis
Dark Data Discovery & Governance with File Analysis
Craig Adams
 
Tokenization: What's Next After PCI?
Tokenization: What's Next After PCI?Tokenization: What's Next After PCI?
Tokenization: What's Next After PCI?
EMC
 
Understanding the Value of Database Discovery - Beyond Unstructured Data
Understanding the Value of Database Discovery - Beyond Unstructured DataUnderstanding the Value of Database Discovery - Beyond Unstructured Data
Understanding the Value of Database Discovery - Beyond Unstructured Data
Logikcull.com
 
Gartner Predicts 2018
Gartner Predicts 2018Gartner Predicts 2018
Gartner Predicts 2018
Javier Caravantes
 
Digital guardian data loss prevention tools
Digital guardian data loss prevention toolsDigital guardian data loss prevention tools
Digital guardian data loss prevention tools
Mani Garg
 
Extending Information Security to Non-Production Environments
Extending Information Security to Non-Production EnvironmentsExtending Information Security to Non-Production Environments
Extending Information Security to Non-Production Environments
LindaWatson19
 
GDPR/CCPA Compliance and Data Governance in Hadoop
GDPR/CCPA Compliance and Data Governance in HadoopGDPR/CCPA Compliance and Data Governance in Hadoop
GDPR/CCPA Compliance and Data Governance in Hadoop
Eyad Garelnabi
 
Curb to core White Paper
Curb to core White PaperCurb to core White Paper
Curb to core White Paper
Ryan Hadden
 
C24 Top 12 tips
C24 Top 12 tipsC24 Top 12 tips
C24 Top 12 tips
David Ricketts
 
iaetsd Using encryption to increase the security of network storage
iaetsd Using encryption to increase the security of network storageiaetsd Using encryption to increase the security of network storage
iaetsd Using encryption to increase the security of network storage
Iaetsd Iaetsd
 
PCI-DSS for IDRBT
PCI-DSS for IDRBTPCI-DSS for IDRBT
PCI-DSS for IDRBT
Shanmugavel Sankaran
 
Kogni - A Data Security Product. Discovers, Secures, & Monitors Sensitive Ent...
Kogni - A Data Security Product. Discovers, Secures, & Monitors Sensitive Ent...Kogni - A Data Security Product. Discovers, Secures, & Monitors Sensitive Ent...
Kogni - A Data Security Product. Discovers, Secures, & Monitors Sensitive Ent...
Kogni
 
Security&Governance
Security&GovernanceSecurity&Governance
Security&Governance
Datio Big Data
 
Data Sanitization and Disposal: Best Practices
Data Sanitization and Disposal: Best PracticesData Sanitization and Disposal: Best Practices
Data Sanitization and Disposal: Best Practices
Avritek
 
DLP 101: Help identify and plug information leaks
DLP 101: Help identify and plug information leaks DLP 101: Help identify and plug information leaks
DLP 101: Help identify and plug information leaks
Abhishek Sood
 
Information Security in Big Data : Privacy and Data Mining
Information Security in Big Data : Privacy and Data MiningInformation Security in Big Data : Privacy and Data Mining
Information Security in Big Data : Privacy and Data Mining
wanani181
 
Data Sanitization: What, Why, When and How?
Data Sanitization: What, Why, When and How?Data Sanitization: What, Why, When and How?
Data Sanitization: What, Why, When and How?
Baltimax
 
Data Sanitization: When, Why & How
Data Sanitization: When, Why & How Data Sanitization: When, Why & How
Data Sanitization: When, Why & How
Blancco
 
28 15141Secure Data Sharing with Data Partitioning in Big Data33289 24 12-2017
28 15141Secure Data Sharing with Data Partitioning in Big Data33289 24 12-201728 15141Secure Data Sharing with Data Partitioning in Big Data33289 24 12-2017
28 15141Secure Data Sharing with Data Partitioning in Big Data33289 24 12-2017
rahulmonikasharma
 
Pci dss scoping and segmentation with links converted-converted
Pci dss scoping and segmentation with links converted-convertedPci dss scoping and segmentation with links converted-converted
Pci dss scoping and segmentation with links converted-converted
VISTA InfoSec
 
PCI Compliance (for developers)
PCI Compliance (for developers)PCI Compliance (for developers)
PCI Compliance (for developers)
Maksim Djackov
 

More Related Content

What's hot

PCIDSS compliance made easier through a collaboration between NC State and UN...
PCIDSS compliance made easier through a collaboration between NC State and UN...PCIDSS compliance made easier through a collaboration between NC State and UN...
PCIDSS compliance made easier through a collaboration between NC State and UN...
John Baines
 
Dark Data Discovery & Governance with File Analysis
Dark Data Discovery & Governance with File AnalysisDark Data Discovery & Governance with File Analysis
Dark Data Discovery & Governance with File Analysis
Craig Adams
 
Tokenization: What's Next After PCI?
Tokenization: What's Next After PCI?Tokenization: What's Next After PCI?
Tokenization: What's Next After PCI?
EMC
 
Understanding the Value of Database Discovery - Beyond Unstructured Data
Understanding the Value of Database Discovery - Beyond Unstructured DataUnderstanding the Value of Database Discovery - Beyond Unstructured Data
Understanding the Value of Database Discovery - Beyond Unstructured Data
Logikcull.com
 
Gartner Predicts 2018
Gartner Predicts 2018Gartner Predicts 2018
Gartner Predicts 2018
Javier Caravantes
 
Digital guardian data loss prevention tools
Digital guardian data loss prevention toolsDigital guardian data loss prevention tools
Digital guardian data loss prevention tools
Mani Garg
 
Extending Information Security to Non-Production Environments
Extending Information Security to Non-Production EnvironmentsExtending Information Security to Non-Production Environments
Extending Information Security to Non-Production Environments
LindaWatson19
 
GDPR/CCPA Compliance and Data Governance in Hadoop
GDPR/CCPA Compliance and Data Governance in HadoopGDPR/CCPA Compliance and Data Governance in Hadoop
GDPR/CCPA Compliance and Data Governance in Hadoop
Eyad Garelnabi
 
Curb to core White Paper
Curb to core White PaperCurb to core White Paper
Curb to core White Paper
Ryan Hadden
 
C24 Top 12 tips
C24 Top 12 tipsC24 Top 12 tips
C24 Top 12 tips
David Ricketts
 
iaetsd Using encryption to increase the security of network storage
iaetsd Using encryption to increase the security of network storageiaetsd Using encryption to increase the security of network storage
iaetsd Using encryption to increase the security of network storage
Iaetsd Iaetsd
 
PCI-DSS for IDRBT
PCI-DSS for IDRBTPCI-DSS for IDRBT
PCI-DSS for IDRBT
Shanmugavel Sankaran
 
Kogni - A Data Security Product. Discovers, Secures, & Monitors Sensitive Ent...
Kogni - A Data Security Product. Discovers, Secures, & Monitors Sensitive Ent...Kogni - A Data Security Product. Discovers, Secures, & Monitors Sensitive Ent...
Kogni - A Data Security Product. Discovers, Secures, & Monitors Sensitive Ent...
Kogni
 
Security&Governance
Security&GovernanceSecurity&Governance
Security&Governance
Datio Big Data
 
Data Sanitization and Disposal: Best Practices
Data Sanitization and Disposal: Best PracticesData Sanitization and Disposal: Best Practices
Data Sanitization and Disposal: Best Practices
Avritek
 
DLP 101: Help identify and plug information leaks
DLP 101: Help identify and plug information leaks DLP 101: Help identify and plug information leaks
DLP 101: Help identify and plug information leaks
Abhishek Sood
 
Information Security in Big Data : Privacy and Data Mining
Information Security in Big Data : Privacy and Data MiningInformation Security in Big Data : Privacy and Data Mining
Information Security in Big Data : Privacy and Data Mining
wanani181
 
Data Sanitization: What, Why, When and How?
Data Sanitization: What, Why, When and How?Data Sanitization: What, Why, When and How?
Data Sanitization: What, Why, When and How?
Baltimax
 
Data Sanitization: When, Why & How
Data Sanitization: When, Why & How Data Sanitization: When, Why & How
Data Sanitization: When, Why & How
Blancco
 
28 15141Secure Data Sharing with Data Partitioning in Big Data33289 24 12-2017
28 15141Secure Data Sharing with Data Partitioning in Big Data33289 24 12-201728 15141Secure Data Sharing with Data Partitioning in Big Data33289 24 12-2017
28 15141Secure Data Sharing with Data Partitioning in Big Data33289 24 12-2017
rahulmonikasharma
 

What's hot (20)

PCIDSS compliance made easier through a collaboration between NC State and UN...
PCIDSS compliance made easier through a collaboration between NC State and UN...PCIDSS compliance made easier through a collaboration between NC State and UN...
PCIDSS compliance made easier through a collaboration between NC State and UN...
 
Dark Data Discovery & Governance with File Analysis
Dark Data Discovery & Governance with File AnalysisDark Data Discovery & Governance with File Analysis
Dark Data Discovery & Governance with File Analysis
 
Tokenization: What's Next After PCI?
Tokenization: What's Next After PCI?Tokenization: What's Next After PCI?
Tokenization: What's Next After PCI?
 
Understanding the Value of Database Discovery - Beyond Unstructured Data
Understanding the Value of Database Discovery - Beyond Unstructured DataUnderstanding the Value of Database Discovery - Beyond Unstructured Data
Understanding the Value of Database Discovery - Beyond Unstructured Data
 
Gartner Predicts 2018
Gartner Predicts 2018Gartner Predicts 2018
Gartner Predicts 2018
 
Digital guardian data loss prevention tools
Digital guardian data loss prevention toolsDigital guardian data loss prevention tools
Digital guardian data loss prevention tools
 
Extending Information Security to Non-Production Environments
Extending Information Security to Non-Production EnvironmentsExtending Information Security to Non-Production Environments
Extending Information Security to Non-Production Environments
 
GDPR/CCPA Compliance and Data Governance in Hadoop
GDPR/CCPA Compliance and Data Governance in HadoopGDPR/CCPA Compliance and Data Governance in Hadoop
GDPR/CCPA Compliance and Data Governance in Hadoop
 
Curb to core White Paper
Curb to core White PaperCurb to core White Paper
Curb to core White Paper
 
C24 Top 12 tips
C24 Top 12 tipsC24 Top 12 tips
C24 Top 12 tips
 
iaetsd Using encryption to increase the security of network storage
iaetsd Using encryption to increase the security of network storageiaetsd Using encryption to increase the security of network storage
iaetsd Using encryption to increase the security of network storage
 
PCI-DSS for IDRBT
PCI-DSS for IDRBTPCI-DSS for IDRBT
PCI-DSS for IDRBT
 
Kogni - A Data Security Product. Discovers, Secures, & Monitors Sensitive Ent...
Kogni - A Data Security Product. Discovers, Secures, & Monitors Sensitive Ent...Kogni - A Data Security Product. Discovers, Secures, & Monitors Sensitive Ent...
Kogni - A Data Security Product. Discovers, Secures, & Monitors Sensitive Ent...
 
Security&Governance
Security&GovernanceSecurity&Governance
Security&Governance
 
Data Sanitization and Disposal: Best Practices
Data Sanitization and Disposal: Best PracticesData Sanitization and Disposal: Best Practices
Data Sanitization and Disposal: Best Practices
 
DLP 101: Help identify and plug information leaks
DLP 101: Help identify and plug information leaks DLP 101: Help identify and plug information leaks
DLP 101: Help identify and plug information leaks
 
Information Security in Big Data : Privacy and Data Mining
Information Security in Big Data : Privacy and Data MiningInformation Security in Big Data : Privacy and Data Mining
Information Security in Big Data : Privacy and Data Mining
 
Data Sanitization: What, Why, When and How?
Data Sanitization: What, Why, When and How?Data Sanitization: What, Why, When and How?
Data Sanitization: What, Why, When and How?
 
Data Sanitization: When, Why & How
Data Sanitization: When, Why & How Data Sanitization: When, Why & How
Data Sanitization: When, Why & How
 
28 15141Secure Data Sharing with Data Partitioning in Big Data33289 24 12-2017
28 15141Secure Data Sharing with Data Partitioning in Big Data33289 24 12-201728 15141Secure Data Sharing with Data Partitioning in Big Data33289 24 12-2017
28 15141Secure Data Sharing with Data Partitioning in Big Data33289 24 12-2017
 

Similar to 6 Amazing Key Elements To Consider The PCI DSS Card Data Discovery Process

Pci dss scoping and segmentation with links converted-converted
Pci dss scoping and segmentation with links converted-convertedPci dss scoping and segmentation with links converted-converted
Pci dss scoping and segmentation with links converted-converted
VISTA InfoSec
 
PCI Compliance (for developers)
PCI Compliance (for developers)PCI Compliance (for developers)
PCI Compliance (for developers)
Maksim Djackov
 
(SACON) Ramkumar Narayanan - Personal Data Discovery & Mapping - Challenges f...
(SACON) Ramkumar Narayanan - Personal Data Discovery & Mapping - Challenges f...(SACON) Ramkumar Narayanan - Personal Data Discovery & Mapping - Challenges f...
(SACON) Ramkumar Narayanan - Personal Data Discovery & Mapping - Challenges f...
Priyanka Aash
 
5 Key Requirements for PCI DSS Compliance.pdf
5 Key Requirements for PCI DSS Compliance.pdf5 Key Requirements for PCI DSS Compliance.pdf
5 Key Requirements for PCI DSS Compliance.pdf
3Columns
 
Pcidss qr gv3_1
Pcidss qr gv3_1Pcidss qr gv3_1
Pcidss qr gv3_1
leon bonilla
 
PCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuidePCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step Guide
AlienVault
 
Protecting the Crown Jewels – Enlist the Beefeaters
Protecting the Crown Jewels – Enlist the BeefeatersProtecting the Crown Jewels – Enlist the Beefeaters
Protecting the Crown Jewels – Enlist the Beefeaters
Jack Nichelson
 
Pci ssc quick reference guide
Pci ssc quick reference guidePci ssc quick reference guide
Pci ssc quick reference guide
Mohammad Makchudul Alam (Arif)
 
DNS Data Exfiltration Detection
DNS Data Exfiltration DetectionDNS Data Exfiltration Detection
DNS Data Exfiltration Detection
IRJET Journal
 
Spirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton ChuvakinSpirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton Chuvakin
Anton Chuvakin
 
Demystifying Attacks on Point of Sales Systems
Demystifying Attacks on Point of Sales SystemsDemystifying Attacks on Point of Sales Systems
Demystifying Attacks on Point of Sales Systems
Symantec
 
PCI Compliance Report
PCI Compliance ReportPCI Compliance Report
PCI Compliance Report
Holly Vega
 
The Need for DLP now - A Clearswift White Paper
The Need for DLP now - A Clearswift White PaperThe Need for DLP now - A Clearswift White Paper
The Need for DLP now - A Clearswift White Paper
Ben Rothke
 
Quick Reference Guide to the PCI Data Security Standard
Quick Reference Guide to the PCI Data Security StandardQuick Reference Guide to the PCI Data Security Standard
Quick Reference Guide to the PCI Data Security Standard
- Mark - Fullbright
 
How to Prepare for a PCI DSS Audit
How to Prepare for a PCI DSS AuditHow to Prepare for a PCI DSS Audit
How to Prepare for a PCI DSS Audit
SecurityMetrics
 
Dark Data Revelation and its Potential Benefits
Dark Data Revelation and its Potential BenefitsDark Data Revelation and its Potential Benefits
Dark Data Revelation and its Potential Benefits
PromptCloud
 
How To Plan Successful Encryption Strategy
How To Plan Successful Encryption StrategyHow To Plan Successful Encryption Strategy
How To Plan Successful Encryption Strategy
ClickSSL
 
Gdpr ccpa steps to near as close to compliancy as possible with low risk of f...
Gdpr ccpa steps to near as close to compliancy as possible with low risk of f...Gdpr ccpa steps to near as close to compliancy as possible with low risk of f...
Gdpr ccpa steps to near as close to compliancy as possible with low risk of f...
Steven Meister
 
Data Security.pdf
Data Security.pdfData Security.pdf
Data Security.pdf
FujifilmFbsg
 
Myths and realities of data security and compliance - Isaca Alanta - ulf matt...
Myths and realities of data security and compliance - Isaca Alanta - ulf matt...Myths and realities of data security and compliance - Isaca Alanta - ulf matt...
Myths and realities of data security and compliance - Isaca Alanta - ulf matt...
Ulf Mattsson
 

Similar to 6 Amazing Key Elements To Consider The PCI DSS Card Data Discovery Process (20)

Pci dss scoping and segmentation with links converted-converted
Pci dss scoping and segmentation with links converted-convertedPci dss scoping and segmentation with links converted-converted
Pci dss scoping and segmentation with links converted-converted
 
PCI Compliance (for developers)
PCI Compliance (for developers)PCI Compliance (for developers)
PCI Compliance (for developers)
 
(SACON) Ramkumar Narayanan - Personal Data Discovery & Mapping - Challenges f...
(SACON) Ramkumar Narayanan - Personal Data Discovery & Mapping - Challenges f...(SACON) Ramkumar Narayanan - Personal Data Discovery & Mapping - Challenges f...
(SACON) Ramkumar Narayanan - Personal Data Discovery & Mapping - Challenges f...
 
5 Key Requirements for PCI DSS Compliance.pdf
5 Key Requirements for PCI DSS Compliance.pdf5 Key Requirements for PCI DSS Compliance.pdf
5 Key Requirements for PCI DSS Compliance.pdf
 
Pcidss qr gv3_1
Pcidss qr gv3_1Pcidss qr gv3_1
Pcidss qr gv3_1
 
PCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuidePCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step Guide
 
Protecting the Crown Jewels – Enlist the Beefeaters
Protecting the Crown Jewels – Enlist the BeefeatersProtecting the Crown Jewels – Enlist the Beefeaters
Protecting the Crown Jewels – Enlist the Beefeaters
 
Pci ssc quick reference guide
Pci ssc quick reference guidePci ssc quick reference guide
Pci ssc quick reference guide
 
DNS Data Exfiltration Detection
DNS Data Exfiltration DetectionDNS Data Exfiltration Detection
DNS Data Exfiltration Detection
 
Spirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton ChuvakinSpirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton Chuvakin
 
Demystifying Attacks on Point of Sales Systems
Demystifying Attacks on Point of Sales SystemsDemystifying Attacks on Point of Sales Systems
Demystifying Attacks on Point of Sales Systems
 
PCI Compliance Report
PCI Compliance ReportPCI Compliance Report
PCI Compliance Report
 
The Need for DLP now - A Clearswift White Paper
The Need for DLP now - A Clearswift White PaperThe Need for DLP now - A Clearswift White Paper
The Need for DLP now - A Clearswift White Paper
 
Quick Reference Guide to the PCI Data Security Standard
Quick Reference Guide to the PCI Data Security StandardQuick Reference Guide to the PCI Data Security Standard
Quick Reference Guide to the PCI Data Security Standard
 
How to Prepare for a PCI DSS Audit
How to Prepare for a PCI DSS AuditHow to Prepare for a PCI DSS Audit
How to Prepare for a PCI DSS Audit
 
Dark Data Revelation and its Potential Benefits
Dark Data Revelation and its Potential BenefitsDark Data Revelation and its Potential Benefits
Dark Data Revelation and its Potential Benefits
 
How To Plan Successful Encryption Strategy
How To Plan Successful Encryption StrategyHow To Plan Successful Encryption Strategy
How To Plan Successful Encryption Strategy
 
Gdpr ccpa steps to near as close to compliancy as possible with low risk of f...
Gdpr ccpa steps to near as close to compliancy as possible with low risk of f...Gdpr ccpa steps to near as close to compliancy as possible with low risk of f...
Gdpr ccpa steps to near as close to compliancy as possible with low risk of f...
 
Data Security.pdf
Data Security.pdfData Security.pdf
Data Security.pdf
 
Myths and realities of data security and compliance - Isaca Alanta - ulf matt...
Myths and realities of data security and compliance - Isaca Alanta - ulf matt...Myths and realities of data security and compliance - Isaca Alanta - ulf matt...
Myths and realities of data security and compliance - Isaca Alanta - ulf matt...
 

More from VISTA InfoSec

How to Conduct an ISO 27001 Risk Assessment That Works
How to Conduct an ISO 27001 Risk Assessment That WorksHow to Conduct an ISO 27001 Risk Assessment That Works
How to Conduct an ISO 27001 Risk Assessment That Works
VISTA InfoSec
 
How to Choose Right PCI SAQ for Your Business.pdf
How to Choose Right PCI SAQ for Your Business.pdfHow to Choose Right PCI SAQ for Your Business.pdf
How to Choose Right PCI SAQ for Your Business.pdf
VISTA InfoSec
 
Future of Data Privacy Examining the Impact of GDPR and CPRA on Business Prac...
Future of Data Privacy Examining the Impact of GDPR and CPRA on Business Prac...Future of Data Privacy Examining the Impact of GDPR and CPRA on Business Prac...
Future of Data Privacy Examining the Impact of GDPR and CPRA on Business Prac...
VISTA InfoSec
 
CCPA Compliance Vs CPRA Compliance.pdf
CCPA Compliance Vs CPRA Compliance.pdfCCPA Compliance Vs CPRA Compliance.pdf
CCPA Compliance Vs CPRA Compliance.pdf
VISTA InfoSec
 
HIPAA Compliance Checklist 2022
HIPAA Compliance Checklist 2022HIPAA Compliance Checklist 2022
HIPAA Compliance Checklist 2022
VISTA InfoSec
 
SOC2 Advisory and Attestation
SOC2 Advisory and AttestationSOC2 Advisory and Attestation
SOC2 Advisory and Attestation
VISTA InfoSec
 
What is expected from an organization under NCA ECC Compliance?
What is expected from an organization under NCA ECC Compliance?What is expected from an organization under NCA ECC Compliance?
What is expected from an organization under NCA ECC Compliance?
VISTA InfoSec
 
Webinar - PCI DSS Merchant Levels validations and applicable
Webinar - PCI DSS Merchant Levels validations and applicableWebinar - PCI DSS Merchant Levels validations and applicable
Webinar - PCI DSS Merchant Levels validations and applicable
VISTA InfoSec
 
Webinar - pci dss 4.0 updates
Webinar - pci dss 4.0 updates Webinar - pci dss 4.0 updates
Webinar - pci dss 4.0 updates
VISTA InfoSec
 
Webinar - PCI PIN, PCI cryptography & key management
Webinar - PCI PIN, PCI cryptography & key managementWebinar - PCI PIN, PCI cryptography & key management
Webinar - PCI PIN, PCI cryptography & key management
VISTA InfoSec
 
Reducing cardholder data footprint with tokenization and other techniques
Reducing cardholder data footprint with tokenization and other techniquesReducing cardholder data footprint with tokenization and other techniques
Reducing cardholder data footprint with tokenization and other techniques
VISTA InfoSec
 
What to expect from the New York Privacy Act
What to expect from the New York Privacy ActWhat to expect from the New York Privacy Act
What to expect from the New York Privacy Act
VISTA InfoSec
 
Guide on ISO 27001 Controls
Guide on ISO 27001 ControlsGuide on ISO 27001 Controls
Guide on ISO 27001 Controls
VISTA InfoSec
 
Are Mobile Banking Apps Safe?
Are Mobile Banking Apps Safe?Are Mobile Banking Apps Safe?
Are Mobile Banking Apps Safe?
VISTA InfoSec
 
Why should I do SOC2?
Why should I do SOC2?Why should I do SOC2?
Why should I do SOC2?
VISTA InfoSec
 
What is GDPR Data Flow Mapping
What is GDPR Data Flow MappingWhat is GDPR Data Flow Mapping
What is GDPR Data Flow Mapping
VISTA InfoSec
 
What is a Firewall Risk Assessment?
What is a Firewall Risk Assessment?What is a Firewall Risk Assessment?
What is a Firewall Risk Assessment?
VISTA InfoSec
 
Which SOC Report Do I need?
Which SOC Report Do I need?Which SOC Report Do I need?
Which SOC Report Do I need?
VISTA InfoSec
 
Key additions and amendments introduced under the CPRA
Key additions and amendments introduced under the CPRAKey additions and amendments introduced under the CPRA
Key additions and amendments introduced under the CPRA
VISTA InfoSec
 
SOC 2 Type 1 Vs. Type 2: Do You Really Need It? This Will Help You Decide!
SOC 2 Type 1 Vs. Type 2: Do You Really Need It? This Will Help You Decide! SOC 2 Type 1 Vs. Type 2: Do You Really Need It? This Will Help You Decide!
SOC 2 Type 1 Vs. Type 2: Do You Really Need It? This Will Help You Decide!
VISTA InfoSec
 

More from VISTA InfoSec (20)

How to Conduct an ISO 27001 Risk Assessment That Works
How to Conduct an ISO 27001 Risk Assessment That WorksHow to Conduct an ISO 27001 Risk Assessment That Works
How to Conduct an ISO 27001 Risk Assessment That Works
 
How to Choose Right PCI SAQ for Your Business.pdf
How to Choose Right PCI SAQ for Your Business.pdfHow to Choose Right PCI SAQ for Your Business.pdf
How to Choose Right PCI SAQ for Your Business.pdf
 
Future of Data Privacy Examining the Impact of GDPR and CPRA on Business Prac...
Future of Data Privacy Examining the Impact of GDPR and CPRA on Business Prac...Future of Data Privacy Examining the Impact of GDPR and CPRA on Business Prac...
Future of Data Privacy Examining the Impact of GDPR and CPRA on Business Prac...
 
CCPA Compliance Vs CPRA Compliance.pdf
CCPA Compliance Vs CPRA Compliance.pdfCCPA Compliance Vs CPRA Compliance.pdf
CCPA Compliance Vs CPRA Compliance.pdf
 
HIPAA Compliance Checklist 2022
HIPAA Compliance Checklist 2022HIPAA Compliance Checklist 2022
HIPAA Compliance Checklist 2022
 
SOC2 Advisory and Attestation
SOC2 Advisory and AttestationSOC2 Advisory and Attestation
SOC2 Advisory and Attestation
 
What is expected from an organization under NCA ECC Compliance?
What is expected from an organization under NCA ECC Compliance?What is expected from an organization under NCA ECC Compliance?
What is expected from an organization under NCA ECC Compliance?
 
Webinar - PCI DSS Merchant Levels validations and applicable
Webinar - PCI DSS Merchant Levels validations and applicableWebinar - PCI DSS Merchant Levels validations and applicable
Webinar - PCI DSS Merchant Levels validations and applicable
 
Webinar - pci dss 4.0 updates
Webinar - pci dss 4.0 updates Webinar - pci dss 4.0 updates
Webinar - pci dss 4.0 updates
 
Webinar - PCI PIN, PCI cryptography & key management
Webinar - PCI PIN, PCI cryptography & key managementWebinar - PCI PIN, PCI cryptography & key management
Webinar - PCI PIN, PCI cryptography & key management
 
Reducing cardholder data footprint with tokenization and other techniques
Reducing cardholder data footprint with tokenization and other techniquesReducing cardholder data footprint with tokenization and other techniques
Reducing cardholder data footprint with tokenization and other techniques
 
What to expect from the New York Privacy Act
What to expect from the New York Privacy ActWhat to expect from the New York Privacy Act
What to expect from the New York Privacy Act
 
Guide on ISO 27001 Controls
Guide on ISO 27001 ControlsGuide on ISO 27001 Controls
Guide on ISO 27001 Controls
 
Are Mobile Banking Apps Safe?
Are Mobile Banking Apps Safe?Are Mobile Banking Apps Safe?
Are Mobile Banking Apps Safe?
 
Why should I do SOC2?
Why should I do SOC2?Why should I do SOC2?
Why should I do SOC2?
 
What is GDPR Data Flow Mapping
What is GDPR Data Flow MappingWhat is GDPR Data Flow Mapping
What is GDPR Data Flow Mapping
 
What is a Firewall Risk Assessment?
What is a Firewall Risk Assessment?What is a Firewall Risk Assessment?
What is a Firewall Risk Assessment?
 
Which SOC Report Do I need?
Which SOC Report Do I need?Which SOC Report Do I need?
Which SOC Report Do I need?
 
Key additions and amendments introduced under the CPRA
Key additions and amendments introduced under the CPRAKey additions and amendments introduced under the CPRA
Key additions and amendments introduced under the CPRA
 
SOC 2 Type 1 Vs. Type 2: Do You Really Need It? This Will Help You Decide!
SOC 2 Type 1 Vs. Type 2: Do You Really Need It? This Will Help You Decide! SOC 2 Type 1 Vs. Type 2: Do You Really Need It? This Will Help You Decide!
SOC 2 Type 1 Vs. Type 2: Do You Really Need It? This Will Help You Decide!
 

Recently uploaded

Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Aggregage
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Malak Abu Hammad
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
innovationoecd
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
KAMESHS29
 
Data structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdfData structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdf
TIPNGVN2
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
Daiki Mogmet Ito
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
Neo4j
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems S.M.S.A.
 
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIEnchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Vladimir Iglovikov, Ph.D.
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 
Large Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial ApplicationsLarge Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial Applications
Rohit Gautam
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
Zilliz
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
danishmna97
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
Uni Systems S.M.S.A.
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
Matthew Sinclair
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
Adtran
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
Neo4j
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 

Recently uploaded (20)

Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
 
Data structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdfData structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdf
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
 
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIEnchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
 
Large Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial ApplicationsLarge Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial Applications
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 

6 Amazing Key Elements To Consider The PCI DSS Card Data Discovery Process

  • 1. KEY ELEMENTS TO CONSIDER THE PCI DSS CARD DATA DISCOVERY PROCESS Over the past few years, the industry has witnessed several incidents of high profile data breaches. Incidents like these serve as a reminder for businesses to prioritize data security and strengthen their business environment. Addressing the concern of data security, the Payment Card Industry Security Standard Council (PCI SSC) issued guidelines under Payment Card Industry Data Security Standard (PCI DSS) for securely processing, storing, transmitting payment card data. As per the PCI DSS Standard requirement, organizations in question need to determine the scope of their PCI DSS assessment accurately and secure card data. Determining the scope essentially involves discovering of unencrypted card data and securing the source to prevent breach/data theft. It is interesting to note that most of the incidents of data breach/theft in the industry today is due to the lack of securing data stored in undiscovered locations. This potentially exposes most organizations to the high-level risk of a data breach. It is therefore essential for organizations to conduct a thorough assessment of Data Card Discovery, to identify and if required securely delete cardholder data that is no longer required or has exceeded the retention period. In this article today, we have outlined key elements to consider while conducting the PCI DSS Card Data Discovery Assessment. Consideration of these elements will ensure accurate scoping and data discovery across the environment. However, before proceeding towards learning about the key elements, let us first understand the term Card Data Discovery (CDD). This will facilitate better learning and understanding of the Card Data Discovery process. What is Card Data Discovery in PCI DSS? Card Data discovery is a systematic process of scanning, identifying, and analyzing sensitive cardholder data that are confidential, proprietary, and personally identifiable information. The card data typically includes primary account number (PAN), Service Code, Magnetic Stripe Data, Sensitive Authentication Data (SAD), Card Verification Code (CVV), and Personal Identification Number (PIN). So, once the Data and Cardholder Data Environment is discovered, the effectiveness of relevant control systems that support the confidentiality, integrity, and availability of that data are analyzed. The data which may be stored in the file systems shared drives, databases, and removable media (CDE) is then accordingly secured or deleted based on the requirement of its necessity/retention period. Key elements to consider the PCI-DSS Card Data Discovery process The process of Card Data Discovery should initially involve reviewing the existing network, data flow diagrams, and Card Holder Data (CHD) locations. Moreover, a thorough investigation involving interviews with the stakeholders involved in the storage, processing, and transmission of cardholder data must be conducted. On completion, we either identify the current scope to be accurate or, define the scope way too less than it is to be. To accurately define the scope the Card Data Discovery Analyzer must consider the following factors.
  • 2. Scan the entire organizational network– The main purpose of conducting a card data discovery scan is to identify both known and unknown areas, where the card data is stored. In all our years of assessing and consulting for PCI DSS, we have seen n number of organizations scanning only the Card Data Environment (CDE) for Card Data… this is quite silly if you think about it. A CHD scan is required to confirm where in the organization the CHD is stored; if you are scanning you’re your PCI Scope systems, then is this a confirmation in any manner that Card Data is not residing anywhere else in your network?? Therefore, it is essential that the Scanner takes into consideration the entire organization’s network in the scope of card discovery. So, this process will prevent ruling out any area of scope that may possibly have the data stored in it unknowingly. Most often data are discovered in the least expected areas that are left out of scope and are then exposed to a security breach. Scan across platforms- The data could typically be stored anywhere, on any platforms, systems, and network. It is therefore essential for scanners to take into consideration all platforms including network, Cloud, mail servers, operating systems, database platforms, and file systems when scanning for Card Data Discovery. Ruling out any of the systems, networks, platforms, or any such similar location will end up remaining out of scope and possibly expose the sensitive data to breach/theft. Scan different file formats- Sensitive Data could possibly be stored in any format (PDF, temp files, XML, PSD, TIFF, DOC, DOCX, RAM dumps) and file types ( Encoded files, flat files, compressed files, database files, email files, audio files, databases of all variants including flat files and even image files to name a few). So, as a part of best practice, the card discovery process should involve scanning of all data storage formats and files thoroughly. Excluding any type could be a huge risk for organizations looking to secure sensitive data. Scan systems and applications- Last but not the least, remember not to miss out scanning systems like hard drives, pen drives, smartphones, tablets, laptops, desktops, and other computing devices systems and endpoints in a Card Data Discovery Assessment process. It is very easy to miss out on the most obvious storage or location point when scanning a large organization for unencrypted card data. False Positives- Be wary of false positives in the Card Data Discovery process. This is currently one of the major challenges faced in the Data Discovery process. False positives could ruin the card Data Discovery exercise and completely hamper the efforts of securing data and efforts of compliance. Accuracy in data discovery is absolutely critical for it helps classify sensitive data in an organization and secures it from exposure.
  • 3. © VISTA InfoSec ® © VISTA InfoSec ®© VISTA InfoSec ® Data Discovery tools- Many organizations we see use tools that only scan txt and email but not databases… this in unacceptable. Organizations must use a comprehensive software tool that typically scans every file, format, storage, operating systems, networks, and platforms across the organization. Scanning and running through every location and looking for unencrypted card data is absolutely essential and vital in protecting customer payment data. Investing in the best tool for scanning and skimming data for card data discovery can greatly benefit the business and prevent them from ramification of the a data breach. Conclusion Organizations should carefully scan their environment to prevent ruling out any possible unencrypted data that may lead to a breach. Use the right scanning tool and adopt all necessary manual process in scanning systems, and networks of your organization. Take into consideration the above mentioned key elements and factors when processing card data discovery and your organization is sure to achieve success in accurately scoping and card data discovery. Should u need any support or clarifications in defining the scope of your Card Data Environment, do drop us a line at ask us [@]vistainfosec.com facebook.com/vistainfosec/ in.linkedin.com/company/vistainfosec twitter.com/VISTAINFOSEC Do write to us your feedback, comments and queries or, if you have any requirements: info@vistainfosec.com You can reach us on: USA +1-415-513 5261 INDIA +91 73045 57744 SINGAPORE +65-3129-0397