Cybersecurity Insurance Checklist - Meet Insurance Requirements with BeyondTrust PAM Download for Free

  • Partners
  • Support
  • Careers
  • English
    • Deutsch
    • français
    • español
    • 한국어
    • português
BeyondTrust
  • Products

    Privileged Password Management

    Discover, manage, audit, and monitor privileged accounts and credentials.

    • Password Safe
    • DevOps Secrets Safe
    • Privileged Access Discovery Application

    Endpoint Privilege Management

    Enforce least privilege across Windows, Mac, Linux, and Unix endpoints.

    • Windows and Mac
    • Unix and Linux
    • Active Directory Bridge

    Secure Remote Access

    Centrally manage remote access for service desks, vendors, and operators.

    • Remote Support
    • Privileged Remote Access
    • Privileged Access Discovery Application

    Cloud Security Management

    Automate the management of identities and assets across your multicloud footprint.

    • Cloud Privilege Broker

    BeyondInsight

    Experience the industry’s most innovative, comprehensive platform for privileged access management.

  • Solutions

    Use Cases

    • Cloud Security
    • Compliance
    • Cyber Insurance
    • Digital Transformation
    • Endpoint Security
    • Operational Technology
    • Ransomware
    • Service Desk Efficiency
    • Zero Trust

    Industry Applications

    • Financial Services
    • Government Agencies
    • Healthcare
    • Law Enforcement
    • Manufacturing
    • Schools & Universities

    Solutions

    The BeyondTrust Privileged Access Management portfolio is an integrated solution that provides visibility and control over all privileged accounts and users.

  • Resources

    Learn

    • Blog
    • Customer Stories
    • Competitor Comparisons
    • Datasheets
    • Demos
    • Glossary
    • Podcast
    • Whitepapers

    Attend

    • Events
    • Go Beyond
    • Training
    • Webinars

    Support

    • Changelog
    • Professional Services
    • Technical Documentation

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

  • Company
    • About
    • Leadership
    • Core Values
    • Partners
    • Careers
  • Watch Demo
  • Contact Sales

Common, but Easily Avoidable, PCI DSS Compliance Miscues

July 15, 2019

  • Blog
  • Archive

I spent many years as PCI QSA, and my recent webinar: The PCI DSS Compliance Essentials: Top 10 Things You Need to Know tried to encapsulate some of the most important areas firms need to consider as they go down the road to PCI compliance. Perhaps the most important topic I covered in the webinar is one that far too many firms don’t even consider—asking why they even store PCI cardholder data (CHD) in the first place.

A lot of firms accept as a fact of doing business that they need to store CHD. The reality is that, for most organizations, there is no compelling business or technology reason for retaining cardholder data. In 2019, there are plenty of vendors who offer tokenization solutions that merchants and service providers can use to ensure that they never see customer CHD. Instead, they only will use the tokens, which are data strings that are out of scope for PCI.

By using tokenization, firms can significantly limit their PCI scope and responsibilities, and risk of damaging data loss or exposure. This, in turn, results in significant cost savings, and many less hours required toward PCI compliance.

Besides tokenization, there are other potential solutions, such as credit card vaulting, point-to-point encryption (P2PE), and end-to-end encryption (E2EE). Whichever solution you consider, the goal is to start thinking about how you can get out of the CHD storage business.

Another important area is that of scoping. The first step of PCI DSS is to accurately determine the scope of the environment. As detailed in the PCI DSS Quick Reference Guide, the scoping process includes identifying all system components that are located within, or connected to, the cardholder data environment. The cardholder data environment is comprised of people, processes, and technology that handle cardholder data or sensitive authentication data.

Yet, too many firms don’t invest enough time in the scoping process. This can be a significant issue, as if a firm over-scopes, they will end up exerting unnecessary time, effort, and expenses. On the other hand, if they under-scope and exclude things that are truly within scope, the outcome is that they are not PCI compliant, and all of the fallout that entails.

Another major PCI violation that organizations commonly commit is the unneccessary storing of sensitive authentication data (SAD). PCI defines SAD as security-related information—including, but not limited to, card validation codes/values, full track data (from the magnetic stripe or equivalent on a chip, PINs, and PIN blocks) used to authenticate cardholders and/or authorize payment card transactions. SAD can never be stored after authentication.

Being educated about the PCI DSS requirements is your best method to ensure compliance, minimize costs, and ensure that you are fully compliant with PCI DSS. For more education that will help poise you for success with PCI, check out my on-demand webinar.

Photograph of Ben Rothke

Ben Rothke, Senior Security Consultant, Nettitude

Ben Rothke (@benrothke) is a senior security consultant with Nettitude and has over 15 years of industry experience in information systems security and privacy. His career incorporates a successful track record across corporate and consulting roles, securing IT assets for numerous Fortune 1000 companies.

He is the author of Computer Security - 20 Things Every Employee Should Know (McGraw-Hill) and a speaker at industry conferences, such as RSA and MISTI, and holds numerous industry certifications.

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

You May Also Be Interested In:

Whitepapers

Cybersecurity Insurance Checklist

Whitepapers

Microsoft Vulnerabilities Report 2021

Whitepapers

Privileged Access Management: PAM Checklist

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support
  • Cloud Privilege Broker

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Podcast
  • Videos
  • Webcasts
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press
BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2022 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.