BY Niall Rooney | 29/03/2019
The payment card industry, by nature, is awash with sensitive personal data. Primary Account Number (PAN), Cardholder Name, Expiry Date, CVV/CVV2 codes along with many other fields about the customer are all stored, transmitted and processed in some way during any transaction involving the use of a credit card or debit card.
This is an unavoidable aspect of commerce. The question is, how is the extremely valuable personal data from this transaction being secured?
During the dot com boom, real-time online payments became a mainstream way to pay for goods and services. Unfortunately, this was promptly followed by a massive increase in credit card fraud stemming from the increased number of security breaches businesses were suffering due to not securing their websites properly. Each major payment brand started to create its own security standard such as Visa AIS and Mastercard SDP, however, these were disparate standards which were not appropriately focused by merchants.
It wasn’t until 2006 when the major credit card brands joined together to create a single common standard to combat this fraud that we now know as Payment Card Industry Data Security Standards (PCI DSS) which set out guidelines on the best practices for companies who store, transmit or process cardholder data.
Within 1 year from the founding of the payment card industry’s flagship security standard, Ground Labs was born exclusively for the purpose of researching techniques to achieve data discovery of cardholder data for PCI DSS using techniques not used before. The result of these efforts produced a portable USB executable tool that data discovery as a whole had never seen before, which we named Card Recon. Within a relatively short period of time Card Recon became the most used cardholder data discovery tool of PCI security assessors (PCI QSAs) globally.
Fast-forward 10 years and things have changed significantly. Due to the rapid pace at which networks are formed, applications are built and business processes change, no longer is ad-hoc or one-off scanning for sensitive data acceptable. Organisations today are required to maintain constant vigilance over the data that they store and more importantly, to keep it secure.
The PCI DSS can be a difficult security standard to adhere to. Ground Labs has created a solution that can assist you in achieving PCI compliance by helping you to find and secure this sensitive data wherever it rests on your network.
Ground labs are global leaders in PCI scanning and are trusted by a large number of QSA’s globally who use our tool to help their customers with compliance audits.
We scan for all the major card brands that fall under PCI compliance. The organisations responsible for devising and upholding this standard are Visa, MasterCard, American Express, Discover, and JCB International.
We specifically identify and highlight track 1 and track 2 magnetic stripe data.
In accordance with PCI DSS, this magnetic strip data can never be stored on a network. Enterprise Recon allows administrators to securely delete this information so that it can not be retrieved, helping organisations to achieve a PCI compliant environment and prevent any fines being incurred.
Enterprise Recon can also assist organisations with their business-as-usual approach to compliance. Scans can be scheduled on a regular basis to find sensitive data, including PCI data. This process can greatly reduce the amount of time it would take to manually search and return sensitive personal data across networks of any size
Ground Labs understands that PCI compliance is about constant vigilance and management of sensitive data. The scheduling function allows a process to be put in place to regularly find and return sensitive data, ensuring that no PCI data is left unattended.
The next step involves managing the cardholder data once it has been found. Enterprise Recon offers several extremely efficient remediation options to mask, encrypt or permanently delete found data.
The mask function allows the user to redact information found in matches. The example that is shown here shows a series of credit card numbers being redacted in Enterprise Recon. Once the data has been obfuscated, the data cannot be stolen and used by attackers and PCI compliance has been achieved.
Encryption is carried out to Advanced Encryption Standards (AES). Data that is nominated for encryption in Enterprise Recon is migrated to an AES encrypted zip file. To doubly ensure that this sensitive data has been secured, running the exact same scan again to find the data that was just encrypted will yield no result. The data is locked down and cannot be found, showing that this sensitive data has been carefully secured with PCI DSS in mind.
The delete function allows users to safely remove sensitive data from their network. For example, if an organisation that works with cardholder data on a daily basis sets up a scan and finds several instances of magnetic stripe 1 and 2 data, under PCI DSS, they must remove it immediately as it cannot be stored. The ‘delete permanently’ function deletes all selected sensitive data and replaces it with an empty tombstone file. Ensuring that this sensitive data cannot be retrieved.
Enterprise Recon helps organisations to keep careful watch over the sensitive personal data that they store. The remediation functions then allow the user to take positive action with this data and ensure that it cannot be stolen if a data breach is suffered.
For more information and a free product demonstration, please visit:
Share this article!
Want to keep up with all our blog posts? Subscribe to our newsletter!
As companies all around the world continue have large portions of their workforce remote, the need to keep their data safe and protected is even more critical. To help companies navigate this new reality and mitigate security risks, we are providing a 90-day complimentary version of our flagship solution—Enterprise Recon. Learn more about it here.