Any organisation storing, processing or transmitting cardholder data will be familiar with PCI DSS 4.0. In a world of escalating cyber risk and expanding corporate attack surfaces, the standard continues to evolve to enforce industry best practices and improve baseline data security.
To help them comply with these requirements, many organisations focus their technology investments on data protection solutions. But before protection must come powerful and continuous data discovery and classification.
Why do we need PCI DSS 4.0?
Card data is among the most sought-after by threat actors because it offers an easy on-ramp to payment fraud. It’s part of the reason why financial services was among the top two sectors in the US to suffer data breaches last year, accounting for nearly a quarter (25%) of data compromises in 2023. Over 353 million individuals were impacted by data breaches during that period, many of whom will have lost card data.
Against this backdrop, the payment card industry mandates organisations handling such data to action a strict set of requirements to minimise the chances of a breach. PCI DSS 4.0 has 64 such rules, which range from multi-factor authentication (MFA) to strong encryption. Compliance isn’t only mandatory. It can help organisations escape major fines while building much-needed customer trust.
You can’t protect what you can’t see
However, the first step to compliance is understanding exactly where card data is stored, processed and transmitted across the enterprise. For large organisations with siloed systems, complex hybrid cloud environments, multiple connected supplier systems, and huge volumes of card data, this is no easy task. And, it is made that much harder by the dynamic nature of the cardholder data environment (CDE), with new data entering and exiting all the time.
In fact, a recent IBM study warns of the growing risk posed by so-called “shadow data”—that is, hidden or overlooked copies of data that sit outside the control of the IT department. It claims that the average cost of related breaches was $5.3m last year, over 16% higher than the norm, while incidents involving shadow data took 26% longer on average to identify and 20% longer to contain.
The key for organisations wishing to comply with PCI DSS 4.0 is, therefore, to understand at all times where their relevant cardholder data is so they can ensure it is protected in line with the standard. Manual processes are simply not fit for purpose in such fast-moving, complex environments containing potentially millions of records. Failure to discover and classify this data continuously could lead to non-compliance and expose the organisation to breach risks. It could also increase storage costs and the risk of data proliferation.
How comforte works
This is where comforte’s Data Security Platform comes into its own. Its Data Discovery and Classification features leverage AI/ML to autonomously and automatically scan repositories looking for cardholder data. Whether it’s structured, unstructured or semi-structured data residing in cloud systems or enterprise tools and apps, comforte will find it thanks to advanced matching algorithms and smart scanning capabilities.
comforte Data Discovery and Classification achieve more than 96% accuracy out of the box and upwards of 99% with the tuning of false positives and negatives to minimise the problems associated with legacy DLP (Data Loss Prevention) solutions. Because it’s automatic, it reduces the workload on IT teams while eliminating human error. And because it’s focused on finding critical data, the solution allows organisations to improve data minimisation and reduce their storage costs. Visibility of data throughout its lifecycle means organisations can also assess whether there are any dangerous security gaps in their distributed CDE, which may impact PCI compliance.
PCI DSS may be non-negotiable, but full compliance rates are still far below where they should be. With a more effective approach to data discovery and classification, your organisation can use PCI DSS compliance as a springboard to competitive differentiation.
For the HPE NonStop platform, we recommend HPE PANfinder™ by 4tech Software.
HPE PANfinder™ is a comprehensive payment card (PAN – Primary Account Number) data discovery solution. It searches your HPE NonStop systems for hidden and unmasked/unencrypted payment card numbers and data, allowing you to encrypt or delete any found data and patch systems or processes that caused you to store it.
Want to learn more about data protection methods?
Click the button below to download our free eBook (without filling out any forms!) and get more in-depth information about the advantages and disadvantages of leading data protection methods like tokenisation, encryption, hashing, masking, and more.
In order to help joint customers, comforte has entered into a strategic partnership with ACI Worldwide.
Accelerating the Journey to PCI DSS 4.0 Compliance with ACI Worldwide
Regulatory compliance is a fact of life for any business. And for those that accept, process, store or transmit credit card information, that means ensuring they meet the exacting requirements of PCI DSS. The card industry data security standard is two decades old this year, and its latest iteration promises a step change in how organisations are required to manage and secure their cardholder data environments (CDEs).
Non-compliance is not an option. However, the process itself can be extremely time-consuming and expensive for many organisations. Fortunately, a new partnership between comforte and payments software giant ACI Worldwide should help to streamline the journey.
Continuous compliance
PCI DSS 4.0 has been billed as the biggest update to the standard since it was launched back in 2004. It features a string of changes to underlying requirements intended to ensure the standard keeps pace with the rapid pace of technological change and threat actor innovation. These include a demand that organisations go beyond disk-level encryption to ensure all data residing in applications is also protected.
More generally, there’s a desire among industry body the PCI Security Standards Council (PCI SSC) to:
- Allow greater flexibility in the technologies organisations can use to achieve compliance
- Promote continuous security rather than treating compliance/security as a tick-box endeavour
- Enhance validation methods and procedures
How will ACI Worldwide customers benefit?
There’s plenty to take on board before the April 1, 2025, deadline for compliance. But one recent announcement will help compliance efforts. Customers using ACI Worldwide payment software in their CDE can now take advantage of leading data protection technology from comforte, which works seamlessly with the firm’s products.
Specifically, thanks to a new partnership, ACI Worldwide now recommends comforte for its ACI Banking (i.e., Issuing and Acquiring) products to meet the data-at-rest requirement of PCI DSS 4.0.
Those products are as follows:
- BASE24: comforte SecurDPS
- BASE24-eps: comforte SecurDPS, comforte SecurDPS Enterprise
ICE-XS: comforte SecurDPS Enterprise - ACI Acquirer/ACI Interchange/ACI Issuer: comforte SecurDPS Enterprise (Virtual File System component only – required for file exchange protection)
- UPF: comforte SecurDPS Enterprise
- XPNET: comforte SecurDPS
The comforte products support PCI DSS 4.0 compliance by protecting what matters most: cardholder data. They offer several benefits:
Automatic and continuous discovery and classification of data, wherever it resides in the organisation.
Multiple protection mechanisms include classic encryption, masking, tokenisation and format-preserving encryption (FPE). Tokenisation can help organisations use data for business value creation via analytics without exposing it to the risk of data theft.
Advanced integration without the need to change underlying applications.
Flexible deployment on-premises, in the cloud, or a hybrid combination of the two.
Future-proofing against changes in the IT environment/CDE thanks to a flexible, elastic and self-healing architecture that is designed to adapt and adjust to future requirements.
Enhanced security with integration into identity and access management (IAM) tooling and built-in audit and analysis functionality.
Getting started
ACI says its products will work with comforte’s with minimal effort. It is recommended customers establish a vendor agreement directly with comforte and plan a roadmap aligning to the March 31 2025, PCI DSS 4.0 compliance deadline.
Once they’ve done that, it’s encouraging customers to reach out to their ACI Account Owner and the firm’s professional services team, which will help with work on deployment. There’s about a year to go before PCI DSS 4.0 becomes a reality. By using comforte to secure data at rest, organisations can take a massive stride towards compliance today.
Learn how to discover, classify, and protect all sensitive data.
Click the button below to download the solution brief for our Data Security Platform:
Be the first to comment