Free Privileged Account Discovery Tool: Identify & secure credentials to stop lateral movement. Download Free

BeyondTrust
  • Products
    Privileged Password Management
    Discover, manage, audit, and monitor privileged accounts
    Password Safe DevOps Secrets Safe
    Endpoint Privilege Management
    Manage privileges on Windows, Mac, Linux, and Unix endpoints
    Windows and Mac Unix and Linux Active Directory Bridge
    Secure Remote Access
    Centrally manage and secure remote access for service desks and vendors
    Remote Support Privileged Remote Access
    BeyondInsight Analytics
    See All Solutions
  • Resources

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

    Watch Video

    Learn

    Case Studies
    Competitor Comparisons
    Datasheets
    Glossary
    Product Demos
    Whitepapers

    Attend

    Events
    Go Beyond
    Training
    Webinars

    Support

    Changelog
    Professional Services
    Technical Documentation
  • Blog
  • Partners
  • Contact
  • Support
  • Services
  • Training
  • Events
  • Company

Common, but Easily Avoidable, PCI DSS Compliance Miscues

July 15, 2019

  • Blog
  • Archive

I spent many years as PCI QSA, and my recent webinar: The PCI DSS Compliance Essentials: Top 10 Things You Need to Know tried to encapsulate some of the most important areas firms need to consider as they go down the road to PCI compliance. Perhaps the most important topic I covered in the webinar is one that far too many firms don’t even consider—asking why they even store PCI cardholder data (CHD) in the first place.

A lot of firms accept as a fact of doing business that they need to store CHD. The reality is that, for most organizations, there is no compelling business or technology reason for retaining cardholder data. In 2019, there are plenty of vendors who offer tokenization solutions that merchants and service providers can use to ensure that they never see customer CHD. Instead, they only will use the tokens, which are data strings that are out of scope for PCI.

By using tokenization, firms can significantly limit their PCI scope and responsibilities, and risk of damaging data loss or exposure. This, in turn, results in significant cost savings, and many less hours required toward PCI compliance.

Besides tokenization, there are other potential solutions, such as credit card vaulting, point-to-point encryption (P2PE), and end-to-end encryption (E2EE). Whichever solution you consider, the goal is to start thinking about how you can get out of the CHD storage business.

Another important area is that of scoping. The first step of PCI DSS is to accurately determine the scope of the environment. As detailed in the PCI DSS Quick Reference Guide, the scoping process includes identifying all system components that are located within, or connected to, the cardholder data environment. The cardholder data environment is comprised of people, processes, and technology that handle cardholder data or sensitive authentication data.

Yet, too many firms don’t invest enough time in the scoping process. This can be a significant issue, as if a firm over-scopes, they will end up exerting unnecessary time, effort, and expenses. On the other hand, if they under-scope and exclude things that are truly within scope, the outcome is that they are not PCI compliant, and all of the fallout that entails.

Another major PCI violation that organizations commonly commit is the unneccessary storing of sensitive authentication data (SAD). PCI defines SAD as security-related information—including, but not limited to, card validation codes/values, full track data (from the magnetic stripe or equivalent on a chip, PINs, and PIN blocks) used to authenticate cardholders and/or authorize payment card transactions. SAD can never be stored after authentication.

Being educated about the PCI DSS requirements is your best method to ensure compliance, minimize costs, and ensure that you are fully compliant with PCI DSS. For more education that will help poise you for success with PCI, check out my on-demand webinar.

Ben Rothke

Senior Security Consultant, Nettitude

Ben Rothke (@benrothke) is a senior security consultant with Nettitude and has over 15 years of industry experience in information systems security and privacy. His career incorporates a successful track record across corporate and consulting roles, securing IT assets for numerous Fortune 1000 companies.

He is the author of Computer Security - 20 Things Every Employee Should Know (McGraw-Hill) and a speaker at industry conferences, such as RSA and MISTI, and holds numerous industry certifications.

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

You May Also Be Interested In:

Webcasts | February 25, 2021

Customer Tips & Tricks: Remote Support for Android

Webcasts | February 09, 2021

Customer Webinar: Remote Support 21.1 Released!

Webcasts | February 24, 2021

Your PAM 2021 Blueprint: Securing Privileged Accounts for On-Premises and Cloud Assets

BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Videos
  • Webcasts
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press

Languages

  • English
  • German
  • French
  • Spanish
  • Korean
  • Portuguese
  • Japanese
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2020 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.