PCI-DSS, the Payment Card Industry Data Security Standard, was established on September 7, 2006. This standard protects the individuals who share their credit card information with organizations like banks, healthcare, etc.
Executive Summary
Maintaining PCI-DSS is a full project entailing tedious tasks like assessing risk exposure, continuously updating documents regarding what goes in and out of the data source, documenting in case of any malicious activity, and staying up-to-date with any and all changes with the PCI-DSS. The failure to comply can be a hefty price to pay.
Knowing what’s sensitive and where you’re most vulnerable in the cloud is at the core of PCI-DSS, like many standards and compliance. However, identifying every sensitive data element and knowing your risk exposure is a major task, requiring time, money, and resources. Meet C² Discover, your cloud-sensitive data discovery product. C² Discover finds your sensitive cloud data, using machine learning and AI technology, while also presenting your risk assessment.
PCI-DSS Audit
What’s involved in a PCI-DSS audit? During the audit, an auditor will do a deep dive into your security infrastructure that involves the sensitive data elements that are related to the standard, ie: bank account numbers and routing numbers, etc. The auditor will identify any holes in the overall security, if any, and may update the organization on any changes to the standard. During the audit, they may also recommend some preventive practices to prevent malicious attacks, like documenting what goes in and out of the databases, current data privacy practices in motion, etc.
Anytime a third party takes a look at your organization may be intimidating, like going to a doctor for a check-up. Like going to the doctor for a check-up, it’s not always for something wrong. If there were anything to go wrong, like a malicious attack, there’s documentation that covers sensitive data inventory of what’s in your database and what are practices used to protect it. If this process still feels very daunting, take the initiative to ensure that you’re optimizing your current organization’s actions to remain compliant with PCI-DSS.
What You Can Do
To take control back during the audit, here’s what you can do to be prepared for the audit and hopefully prevent the hefty fines from the audit and the price of meeting the standards.
1. Complete PCI-DSS Certification
The PCI-DSS certification should be achieved every 90 days/once per quarter. It’s a risk assessment of your cloud that is targeted around PCI-DSS. The recommended tasks are based on how many transactions your organization does in a year.
| Level | Business does | You should |
| 1 | 6 million+ transactions/year |
Conduct an annual internal audit Conduct quarterly PCI scans |
| 2 | 1-6 million transactions/year |
Complete an annual risk assessment using an SAQ Conduct quarterly PCI scans |
| 3 | 20,000-1 million transaction/ year |
Complete annual risk assessment using an SAQ Conduct quarterly PCI scans |
| 4 |
Less than 20,000 eCommerce transactions/year Less than 1 million other transactions/year |
Complete an annual risk assessment using an SAQ Conduct quarterly PCI scans |
C² Discover identifies financial data like credit card numbers, routing numbers, and accounts. Get a current snapshot of your risk assessment by identifying where you’re most vulnerable. C² Discover has no limits to how many times you can run your discoveries, so run as many. The more you are in the know will help you protect your data, therefore becoming more and more in compliance with PCI-DSS.
2. Get an Understanding of Your Risks
When storing sensitive data, it’s crucial to understand where the data is stored, who has access to it, and how to protect it. If you know your risks, you’re able to protect your data proactively, rather than be reactive if there were malicious activity were to occur.
Post discovery, C² Discover will present your results through a heatmap, giving you an understanding of where you are at risk as a whole or by sensitive data elements. The heatmap gives you all the information to mitigate the risk without the heavy lifting and high costs.
3. Stay Up to Date With PCI-DSS
As technology gains more control over how our society works, the standards of cybersecurity like PCI-DSS become stricter. To remain compliant, anyone dealing with credit card data needs to stay informed of the new changes and make the necessary changes to the infrastructure.
As of today, C² Discover identifies sensitive data that relates to PCI-DSS. Our experts stay up to date with any changes to the standard and will release new versions to accommodate the changes. If you see something missing, our experts are eager to customize C² Discover to fit your organization’s needs.
4. Talk to the Necessary Stakeholders
As a company, certain stakeholders need to know how you’re protecting sensitive data. If they don’t know how or if your organization is protecting sensitive data, they can’t help finance the organization. If the organization is constantly involved in data breaches, the value of the organization goes down, resulting in the stakeholders having the right to detach themselves from the organization. On the other side, if the organization isn’t involved in data breaches and malicious activity, the organization has proved itself to be a reputable company, piquing the interest of many prospects who may become stakeholders.
C² Discover’s user interface can easily be used as a report to present to the necessary stakeholders and even shareholders. C² Discover tells you everything that an individual needs to share with any executive team, technical or not.
5. Document and Update the Status of the Information
It’s helpful to have some sort of inventory of where data is stored, the applications used, and any security notes to have. It’s even more helpful to keep that data up to date because that way everyone knows what is still used and if there’s anything new added to the data environment ecosystem. This also helps if there was an attack on your data because you know what has been affected, making the investigation and the aftermath go a bit smoother. This document can also be used to educate and train employees on security protocols.
C² Discover’s discoveries are a great launching pad to see where sensitive data is located and cross-examine what server has what security measure and identify any missing security infrastructures.
6. Assign a Compliance Leader
Having a person be assigned to compliance is a great way to ensure that your audit goes as smoothly as possible. This person oversees tasks like running exposure assessments, updating the team on compliance changes, documenting any changes to security, running training sessions for employees, and most importantly, talking to your auditor. Both the compliance leader and the auditor have a lot of information, and the more sharing of the knowledge, the better outcomes.