PCI Compliance: How to Redact Credit Card Info from Inbound Emails

<a href='/blog?tag=Adaptive Redaction'>Adaptive Redaction</a> <a href='/blog?tag=Compliance'>Compliance</a> <a href='/blog?tag=Email Security'>Email Security</a> <a href='/blog?tag=Information Governance'>Information Governance</a>
PCI Compliance for credit cards

PCI Compliance

When You Need Protection from Critical Information.

Just when all the heavy lifting is done to enhance the protection of payment card data to comply with PCI DSS (Payment Card Industry Data Security Standard) requirements, you realize that something as simple as emails being sent into your organization with card numbers can jeopardize your efforts and subject your organization to costly fines. Therefore, organizations are considering automated scanning and data redaction technologies to remove payment card data before they even reach your email system. As a result, this helps ensure compliance and a high level of customer service, while avoiding the manual headaches and error prone processes of having to clean-up the trail of “radioactive” PCI data left behind.

The PCI Compliance Issue

What appears to be an innocent attempt by customers to expedite their service request by volunteering their primary account number (PAN) for reference or payment in an email can often violate PCI DSS Requirements 3 and 4 that are focused on protecting the storage and transmission of cardholder data. Often the problem occurs with the ‘edge’ cases, an issue which results in the information travelling outside the PCI controlled environment. This potential violation is due to the digital footprint that proliferates throughout unregulated PCI networks and systems such as your email system, archives, and even replicated snapshots and backups taken for disaster recovery purposes.

The problem can be easily compounded if the employee replies or forwards an email containing the PCI information inside or outside your organization over open and public networks, even if it is just a response to the sender that the information has been received.

Email is not the only communication channel creating risk. A similar violation can occur outside of email when a customer submits their payment card information through an organization’s non-compliant “contact us” web form, social media account or instant messaging/chat platform. These tend to be the front end applications which feed into other systems that further store and therefore multiply the card data throughout web servers, marketing automation and CRM tools. In any case, you have toxic payment card data being distributed through your environment that needs to be contained, secured and managed within PCI DSS guidelines.

In attempt to address this often overlooked PCI challenge, IT and compliance teams have historically instructed their agents to manually delete the email (or web message), report the issue to IT for additional tracking and purging of any replications of the instance and to respond back to the customer in a separate message instructing them of their policy not to accept card information through this communication channel. However, similar to most manual processes and taking an “honor system” approach to data security policies, this method exposes both the customer and your organization to errors, undue risk and lost customer-facing time.

An Automated Solution for PCI Compliance

Organizations can now leverage Adaptive Redaction to address this nagging issue by automating the scanning and redaction of payment card information (or other sensitive and inappropriate data) prior to entering and non-PCI compliant email and web systems, prior to being replicated across multiple unregulated systems and prior to having to manually track and dispose of all traces of the data. Adaptive Redaction offers the granularity to inspect messages and attachments by completely disassembling the inbound message and thoroughly sanitize them by removing only the information that breaks PCI DSS, while allowing the rest of the message to go unhindered to your agent for service. This ensures that there is continuous collaboration and communication, but removes the risk of inappropriately shared critical information.

Adaptive Redaction policies can be consistently shared across multiple channels to ensure consistency with PCI policy guidelines and easily integrated with your existing email and web security infrastructure without having to rip and replace. A no brainer and automated fix to what can be a PCI DSS thorn in your side.

Additional Information 

Related PCI Issues and Articles



*** This is a Security Bloggers Network syndicated blog from Clearswift Blog authored by Anonymous. Read the original post at: