PCI-DSS v1.2 Brings Cardholder Data Contained in Emails under the Purview of Corporate Auditors

The risks inherent to the payment card industry (PCI) and the consumers using credit cards are well documented. High profile PCI data breaches such as the TJX data breach are a painful reminder of the importance of securing consumer information and the need for security standards such as the Payment Card Industry Data Security Standards (PCI-DSS). Originally created when Visa, Mastercard, Discover and American Express aligned their individual data security policies, PCI-DSS version 1.2 that was released in October 2008 provided clarification and updates to meet today's payment card security challenges. One such example is anti-virus software will be required on all systems regardless of operating system.

PCI-DSS compliance levels are dependant upon the number of card transactions within a company during a 12 month period. The number of transactions will determine the Level (1-4) that the company falls within and, in turn, the steps they need to take to ensure compliance. Using the PCI-DSS framework to aid in the risk assessment process provides 12 specific security areas that are organized into six categories, one of which calls for the creation and enforcement of an information security policy for the cardholder data.

Compliance within this specific category calls for companies to:

• Securely collect and store cardholder data. Companies need to ensure all collected data logs are secure and available for audit review and analysis. This includes a log management policy to address how the data logs will be stored and reviewed, separation of log review duties, how long logs will be kept, and proper access controls over the data logs. Cardholder data at rest should be kept in an encrypted format and proper encryption key controls should be in place. Any logs relating to key management should be reviewed for compliance with key change policies.
• Report on the status of the archived cardholder data. Companies must prove they are in compliance to the auditor by providing evidence that proper security controls are in place and protecting card holder data. Some of the events an auditor will be looking for are: all individual user accesses to cardholder data; what individuals have access to audit trails; use of authentication and identification technology; and creation and deletion of objects.
• Monitor and alert companies as to how archived cardholder data is accessed. Monitoring and alerting is crucial to compliance with PCI-DSS. Some of the areas auditors will look at are: access controls to cardholder data; how is access monitored; physical controls to areas that contain cardholder data, what technologies are in place that alert when cardholder data has been accessed; what policies and procedures are in place that guide the security of cardholder data; what processes defined in policy are in place to ensure compliance; and, are those processes being followed.

The focus of the PCI-DSS standard is to ensure that companies are locating and securing cardholder data as well as providing a means to justify the level of penalties that are imposed on companies that are not complying with the standards and then experience breaches of their cardholder data. Penalties for these breaches can result in fines that reach half a million dollars, cardholder legal action and the possible loss of privilege of accepting credit card transactions.

As part of enforcing compliance with the PCI-DSS standards companies are required to "Protect Cardholder Data", as evident through PCI-DSS requirements 3 and 4. A large part of this requirement is ensuring cardholder data in e-mail is protected through encryption as it is transmitted across untrusted networks, as well as protecting stored cardholder data in areas such as PST files. It is a given that cardholder data is finding its way into corporate email so companies need to a way to detect when and if cardholder data is accessed and prevent it from being sent to unauthorized parties.

Estorian's LookingGlass provides a solution to these problems by:

• Providing unlimited indexing capability so companies can track emails as they are sent and received. This creates an audit trail for any email that could contain cardholder information and whether or not security is being compromised.
• Real-time alerts and policy enforcement. Companies can use LookingGlass to establish policies in line with PCI-DSS standards and then generate real-time alerts for those persons responsible for compliance when emails containing cardholder data is sent and/or received.
• Transparent handling of encrypted email. If cardholder data is contained in email, encryption goes beyond encrypting that data in transit and needs to follow the cardholder data to the mailbox, PST file or its archive. LookingGlass provides visibility into the encryption process during its archiving of encrypted email. With the mandate that cardholder data be encrypted across untrusted networks, LookingGlass provides companies the ability to follow the encrypted cardholder data even as it is archived state.

PCI-DSS version 1.2 provides a needed upgrade to the ability to mitigate security risks as it pertains to cardholder data. This standard is designed to protect consumers and spread the financial risks back to the offender allowing a more proactive and easier to understand set of rules to follow. But it is important for companies to understand how their current information security policy addresses the risks associated with PCI-DSS and how a company's current e-mail system fits within this standard.

When identifying and protecting cardholder data in email, products such as Estorian's LookingGlass provide the ability to track cardholder data over email as well as give companies the ability to alerts and policy enforcement as it pertains to cardholder data and e-mail. LookingGlass also handles email encryption and allows encrypted email to be securely archived by preserving the e-mails encrypted status. All of these areas are crucial in ensuring that cardholder data within -mail meets the "Protecting Cardholder Data" standard within PCI-DSS. Without the proper controls in place, the risks associated with non-compliance with these standards can put the ability to accept credit card transactions in jeopardy and thus eliminating a vital revenue stream.