You’ve hardened your processes, separated environments, encrypted tables in your DBs, trained your developers and IT staff. Then comes your audit and your auditors jump in and run a script against your DB. Ding, ding, ding.... Left and right you start seeing things that look like Primary Account Numbers! What? Where? How did this happen?
One of the challenges of PCI is that you’ll be focused on your cardholder environment and your payment processing tools and applications. Meanwhile, you’ve got API’s, web forms, chat windows, log files, support tickets and any number of other places for data to hide. Your customers, developers and employees will likely have innocently created a PCI Compliance risk.
What other streams does data enter your system via? Do you have a customer support or CRM tool? Often customers, not so PCI saavy, will send you info they shouldn’t. An email with a Credit Card number (aka PAN) in it asking for a refund, or a chat window or a comment in an API call.
You didn’t expect this channel of communication to be used to send credit card data, yet sure enough there are a magic 16 digits uncovered at the wrong time, during your assessment.
The antidote? Know your data. Know what information is flowing through your system, what information is stored and what might be masked on collection or display. If you’re an API provider, this can mean watching your APIs for sensitive information passing through. Not only PAN data, but other data can be useful to avoid storing unencrypted or storing at all. Social Security Numbers are another sticky piece of data you’d like to avoid if possible.
Leveraging tools to help you discover your hidden vulnerabilities is one tactic as is encrypting vulnerable tables. Eliminating those vulnerabilities is a better route. As we shift towards an API Economy, knowing the data passing through your APIs grows ever important in achieving and maintaining PCI compliance.
Shameless Plug#1: Ask us about Apigee PCI Gateway Policies and how we can help you know your data.
Shameless Plug #2: For more on this topic, tomorrow we're hosting a live webinar on "Does your API need to be PCI Compliant"? We'll send you the video if you can't make the live webinar.