White Paper

Research Brief: Prevent Data Loss And Comply With Payment Card Industry Data Security Standards

Source: Websense, Inc.

Modern commerce relies heavily on credit card transactions, providing convenience to consumers and more sales opportunities for merchants. With vast amounts of financial capital transferring via these means, it's no wonder that credit card fraud amounts to over a billion dollars in the US alone, according to the US Treasury. The Payment Card Industry Data Security Standards (PCI DSS) were developed by a consortium of credit card issuers, including MasterCard and Visa, to provide best practices for securing IT systems and establishing processes for the use, storage, and transmission of credit card data in electronic commerce.

In an age of phishing scams, malware, and pursuit of profits by hackers, compliance with PCI DSS is usually interpreted as a way to mitigate the risk of an external threat. Secure Sockets Layer (SSL), Transport Layer Security (TLS), Internet Protocol Security (IPSEC), and other technologies are recommended as safeguards against these threats, focusing on anti-theft and anti-intrusion measures. However, the ultimate concern is the unauthorized use of credit card data, so safeguarding the data, then, is essential to mitigating this risk. Data Loss Prevention (DLP) is the solution to help safeguard this credit card data.

While PCI DSS has done much to establish a common set of security best practices to minimize external hacks into networks where credit card data is transmitted, stored or collected, it has not explicitly mandated the monitoring of this data. As many industry analysts and forward-thinking enterprises have already acknowledged, DLP must be a part of a PCI compliance and credit card data security policy, given that even a single instance of data loss can lead to penalties from card holding institutions and banks, high remediation costs, damage to an organization's reputation, and loss of market share.