When the topic of data breach comes up, encryption and vulnerability scanning are usually part of the solution. But most people don’t realize that getting a frequent assessment on all endpoints can be just as important as securing the payment processing gateway. In fact, many experts consider cardholder data discovery the “third pillar” for overall data breach mitigation.
Knowing the risks
Numerous studies have shown that assessing for unencrypted credit card data at rest plays a vital role in protecting customer payment data. The price we pay for negating data discovery assessments has profound ramifications for corporate branding, business success and ultimately fatal financial repercussions.
Common risks we see all too often that you should be aware of:
1) Payment gateways send/receive encrypted information from the merchant server. Due to mis-configured gateways, card data is being dumped in a text or xml file.
2) Due to the adoption of cloud syncing technologies like iCloud or Google Drive, payment data stored on the desktop is constantly synchronized with smartphones and tablets proliferating beyond the perceived corporate perimeter.
3) Email hands down, is the number #1 location where card data was discovered on over 80% of endpoints.
What you can do to improve cardholder data discovery and mitigate data breaches
1) Assess both mobile and computing devices for unencrypted data
2) Be sure to scan common locations such as Email, SMS, SD Cards, Zip Files, Browsers and Contacts
What you can do after the assessment
1) Encrypt the files or use full disk encryption if retaining the data is justified
2) Properly remove and securely delete the data when no longer needed
3] Educate employees on the importance of protecting cardholder data
Treating cardholder data discovery as a priority rather than a luxury can be a huge step to help promote customer data protection and prevent your business becoming yet another data breach headline. However, it’s important to be aware that not all cardholder assessments are so easily addressed. Card data residing on smartphones, tablets, laptops or other BYOD computing endpoints can easily be identified by reviewing your PAN or PII Scan reports with your MAX Risk Intelligence account.