The PCI DSS standard prescribes 12 principles and an accompanying set of detailed requirements for compliance. Broadly, the standard requires the organization to encrypt data, define and enforce access rights, track and monitor data access and assign unique ID’s to users, among other requirements. The overall goal is to build a high level of security in organizations that are accepting or that transact credit card payments or handle data related to the same.
The challenge usually is that for compliance a combination of multiple technologies, process and awareness initiatives are required for compliance. Information goes through a cycle of create – store – transmit – use – archive – delete. Typically a combination of technologies are required to protect the data through this lifecycle. The challenge increases further if data needs to be exchanged with external agencies and across locations.
Information Rights Management (IRM) technologies like Seclore FileSecure provide a mechanism by which information confidentiality and integrity through this lifecycle can be provided without trying to combine multiple technologies.
IRM technologies provide a method to monitor and control :
1. WHO can use the information (people, groups, …) within or outside the enterprise
2. WHAT can eash person do (read, edit, print, copy, …)
3. WHEN can each person use the information (till 15th March, for 10 days) after which the information expires &
4. WHERE can each person use the information (within a specific network, from a specific set of computers, …)
These controls are through the lifecycle of the information from creation to destruction and is independent of the mechanism of storage and transmission. IRM can therefore make PCI DSS compliance a much more “homogeneous” exercise with a single command and control center.
IRM can help the organization meet a number of provisions in PCI requirements 3, 4, 7 and 10 in the process of data transmission and sharing amongst stakeholders. These identified requirements address encryption during transmission; restriction of access based on the user’s need-to-know; and, tracking and monitoring of network resources and cardholder data.
IRM solutions provide a user friendly method to restrict access to documents with sensitive cardholder data, eliminating the need for resource intensive (and user unfriendly) encryption / decryption of shared documents. Additionally the solution makes it easy for access rights to be assigned on a need-to-know basis at the start of the document lifecycle itself, with the facility to withdraw or add shares.
These features are supported by extensive logging to enable traceability and audit requirements as mandated by PCI. File access and related actions are logged in granular detail. These logs provide information about the document use, edits, machine, location, time of access etc.
IRM inter-alia helps meet PCI-DSS compliance in the following areas
4. Encrypt transmission of cardholder data across open, public Networks
4.2a Verify that strong cryptography is used whenever cardholder data is sent via end-user messaging technologies
7. Restrict access to cardholder data by business need-to-know
7.1.1 Restriction of access rights to privileged user IDs to least privileges necessary to perform job responsibilities
7.1.2 Assignment of privileges is based on individual personnel’s job classification and function
7.1.4 Implementation of an automated access control system
7.2.3 Default “deny-all” setting
10. Track and monitor all access to network resources and cardholder Data
IRM also serves as a default automated mechanism to deny access to persons who have left the organization or to those moving internally to different roles.
Considering the cost for cardholder data loss, it is imperative for organizations to enable multiple barriers in the form of controls that are business enablers.
IRM technology, though relatively new, addresses multiple concerns from the business perspective and makes it easy for users at all levels to be able to build security controls in at the start of the document lifecycle, and keep it protected throughout.
Seclore is an Enterprise Information Rights Management (IRM) company providing risk mitigation from information leakages whilst enhancing collaboration and data security.
