Sensitive Data Masking for PCI DSS

With strict new cybersecurity laws like the established PCI DSS, GDPR in Europe, and the Australian data privacy legislation, organizations are being held to account for the steps they take to keep people’s data safe. While these standards are certainly positive steps forward for data security worldwide, they can pose several difficult and expensive challenges for businesses. However, data security is nothing new, and there are several methods available to organizations to help them to keep their data secure. Sensitive data masking is one such method and it is an extremely effective way of ensuring that sensitive data is kept safe by rendering it impossible to interpret.

What is Sensitive Data?

Sensitive data is any information that is required to be protected because it holds value only when it is kept secret. For example, credit card data is sensitive data because it can be stolen and used by someone who does not own it, with negative consequences to the card’s actual owner. The stolen card data can be used by someone who does not own it to purchase goods and services.

Other forms of sensitive data include names, addresses, phone numbers, gender, religion and employee information. This type of data is extremely valuable to cybercriminals because it can be sold on the dark web in order for criminals to successfully assume fake identities. In many countries around the world, identity theft is a serious crime.

Organisations that store this sensitive data have a duty of care to keep this sensitive information secure because it has been entrusted to them by their customers. The aforementioned data privacy laws, like PCI DSS, set out a list of requirements to help organizations understand what they need to do in order to minimise the risk of sensitive data being lost. 

PCI DSS Security Requirements

Regulators have developed security standards like the PCI DSS in order to help protect and secure the payment card ecosystem. Understanding the requirements of PCI DSS will not only help your organization avoid hefty fines, but will ensure the safety of your customer’s sensitive data. These are the 12 requirements of the PCI DSS:

1. Protect your system with firewalls
2. Configure passwords and settings
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
5. Use and regularly update anti-virus software 
6. Regularly update and patch systems
7. Restrict access to cardholder data to business need to know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to workplace and cardholder data
10. Implement logging and log management
11. Conduct vulnerability scans and penetration tests
12. Documentation and risk assessments

Sensitive Data Masking Solution: Enterprise Recon

Ground Labs’ Enterprise Recon software can be used to scan for sensitive data in locations where the user would not expect to find it. The user can then remediate this information by performing sensitive data masking if it is a data type that supports masking such as a credit card number for example.

Enterprise Recon gives the user the power to take control of their data and take positive remediation action over the data they have stored in their network.

For example, credit card data is often stored by organizations in order to process transactions. This data is kept in a predetermined format such as the card number, name, CSV and expiration date. When masking this data by hashing out all but the first six last four digits of each credit card number, the data is secured by being rendered unreadable by unauthorised personnel. Masking is a destructive data remediation technique so it is important that you are aware that any masked data may be impossible to restore once it has been redacted.

Masking sensitive data can be an important part of many compliance requirements for standards such as GDPR, PCI DSS and HIPAA.

Sensitive data masking is an important step in achieving PCI compliance specifically. Data masking for credit card information is useful because it retains the format of the credit card information without revealing any usable sensitive data to hackers.

Ready to learn more about how to achieve PCI DSS compliance? Request a demo today.