Unstructured Data and PCI Compliance
In the 15 years since its introduction, the Payment Card Industry Data Security Standard (PCI DSS) has redefined data protection for banks, merchants, and every other organization that handles credit card data. Companies around the world design their networks, build their applications, and assign user permissions with PCI requirements in mind.
One data security risk, however, often goes unaddressed, even by organizations that take an aggressive approach to PCI compliance: credit card numbers in unstructured data.
Even though unstructured data—data stored in files, rather than in a database—accounts for 80% of the total data volume at a typical organization, it gets less attention than its structured counterpart, and represents a largely unmanaged risk to PCI compliance and cardholder privacy.
The problem with unstructured data
Structured data is easy to manage. Organizations can decide how information gets added to a database, define the data types that go into different tables and columns, and control how data is moved and manipulated within the database. These capabilities make it relatively simple to ensure that data is stored and used in compliance with PCI requirements—as long as it stays in the database environment.
Protecting cardholder data once it leaves the database, on the other hand, can be much more challenging. Most organizations lack the ability to see what types of data employees are saving in files. Those that have some visibility—companies that have implemented endpoint DLP, for example—still struggle to remediate sensitive data without breaking workflows and disrupting business processes.
That's a serious concern, because employees at banks, payment processors, merchants, and other organizations are constantly extracting credit card information from databases and saving it in files. Once data is pulled from a database, it might be copied dozens or even hundreds of times, and saved in file shares, cloud drives, removable media, and other locations. This makes it nearly impossible to ensure that credit card numbers are not being stored and shared without the protection that PCI demands.
30 computers, 74 million unprotected card numbers
How big is the problem? One global bank found out after it purchased a payment processor and started to integrate the payment processor’s systems into its IT infrastructure.
Prior to a PCI audit, the bank discovered credit card numbers in unprotected files on several user devices. To determine the severity of the issue, the bank conducted a trial implementation of PKWARE’s automated data redaction solution on 30 of the payment processor’s laptops and desktops. On those 30 user computers, PKWARE detected 4,100 unprotected files containing more than 74 million credit card numbers in all.
The solution—which allowed the bank to remediate the unprotected data and achieve 100% compliance on its PCI audit—was to redact the credit card numbers within the files, while leaving other file contents unchanged.
Automated data redaction enables organizations to remove the middle six digits from credit card numbers as soon as they are extracted from a database and saved in files. This approach (which PCI DSS calls "truncation") provides the ideal solution to a complex challenge:
- Removal of the middle six digits renders card numbers unusable in the event that files are accessed by unauthorized users.
- Since redaction cannot be reversed, files with redacted credit card data no longer fall under the scope of PCI requirements.
- Redaction leaves other file contents unchanged, and eliminates the need to quarantine or encrypt files. This keeps the remaining data accessible to authorized users and reduces burdens on IT resources. (In use cases where employees may require access to unredacted credit card numbers, files can be copied to a quarantine location prior to redaction.)
- Organizations can use PKWARE's automated redaction technology to eliminate sensitive data from existing files, and to scan and remediate new data in real time as files are created and modified.
- Since redacted files do not contain usable credit card data, they can be shared via email or other means without the need for potentially complex encryption, and without violating PCI requirements.