A New Way to Prevent Card Data Security Breaches

All retailers and any business that processes payments should have a new document on hand that is meant to prevent and mitigate some of the millions of dollars in losses from card data breaches annually. When the Payment Card Industry (PCI) released its updated Data Security Standard 3.0 earlier this month, it said that companies should create a data flow diagram showing all the individuals, systems, and applications that have access to cardholder data. This idea first came about, PaymentsSource reported, after a hacker produced a color-coded scheme showing where sensitive data was stored at his targeted organization. “In the majority of compromises we’ve seen over the past few years, the merchant was trying to do the right thing but was unaware that cardholder data existed in a location that was not being protected.  What these compromises have demonstrated is the business value for having a clear way to identify where the cardholder data is in your organization,” Troy Leach, chief technology officer for PCI’s Security Standards Council, told StorefrontBacktalk. The data flow diagrams require organizations to conduct a full analysis of their systems and include all types of data pertaining to customers, users and suppliers. Firms must identify the level of security provided at each stage and determine whether different data sets fall under PCI jurisdiction or the regulations of foreign entities. “This information also needs to be overlaid with a diagram of servers on- and off-premise, and all mobile devices, including those owned by employees,” PaymentsSource reported. PCI included the flow diagram requirement in previous DSS versions as well, but more retailers are taking notice of this and other techniques, as they combat the ever-growing card fraud problem. Card fraud through security breaches is becoming a much more common problem. A record number of breaches – 1,611 – occurred in 2012, a staggering 48 percent increase from 2011, according to PaymentsSource. Limousine management software and services provider CorporateCarOnline was the most recent victim of major credit card fraud. The work of a few organized cyber-thieves resulted in the compromise of around 850,000 names, addresses, credit card numbers and expiration dates. “It simply is good business for merchants to know where their cardholder data is. The better they understand how their organization operates, including how their customer’s cardholder data moves throughout their environment, the better they can make decisions to help minimize risk and cost,” Leach said. In addition, the mapping of application data flows has become more critical as today’s enterprise systems have become “super-interconnected” to other systems, both inside and outside of company walls, including on the cloud, according to PaymentsSource. The full changes in PCI’s Security Standard 3.0 will not be put into effect until January, 2015. Still, it is important that organizations – if they haven’t already – begin developing their data flow diagrams now. It would be so encouraging to see businesses of all types come together with the common goal of significantly reducing card security breaches in 2014.