More than half of all companies do not properly enforce rules surrounding access to sensitive customer information such as card data, according to a recent survey Ponemon Institute and Aveksa Inc. conducted among information-technology professionals.
Some 87% of information-technology professionals from financial services, government, health care and other industries surveyed said individual employees have “too much access” to data not pertinent to their jobs, while 59% said organizations do not properly enforce policies surrounding access to sensitive data. Some 63% said organizations lack the staff needed to enforce policies, and 72% said they could not respond quickly to changes in employee data-access requirements. Ponemon conducted the telephone survey of 728 information-technology practitioners in February.
Smaller payment-industry companies are most likely to lack appropriate processes and resources to control employee access to cardholder data, and the growing complexity of information-technology systems may be at fault, Scott Laliberte, a managing director at the Philadelphia-based risk-management firm Protiviti Inc., tells PaymentsSource.
Thanks to stricter adherence to the Payment Card Industry Data Security Standard and rising use of third-party assessors to ensure compliance, “most Level 1 merchants and large organizations have pretty strong processes in place to comply with the rules,” Laliberte says. Level 1 merchants are those processing 6 million or more annual Visa transactions.
The PCI standard surrounding access to cardholder data includes nine specific controls within the section entitled “Restrict Access to Cardholder Data by Business Need-to-Know,” Laliberte says.
But smaller organizations that process fewer than 6 million Visa transactions annually and those that typically rely on self-assessment for PCI compliance “may not be fully aware of the potential for error and the levels of diligence required to properly handle employee card-data access,” Laliberte says.
The problem for smaller organizations is that most systems they use for reviewing employee access to cardholder data are manual and contain significant potential for human error, he says. Small organizations also often lack systems to quickly restrict employees’ access to cardholder data housed within increasingly intricate and customized information-technology systems.
“As the complexity of information-technology systems increases, it becomes more difficult to quickly restrict employees’ access cardholder data within many underlying levels of systems. This makes it difficult to block employee access at the moment an employee leaves an organization or is terminated,” Laliberte says. “The potential for a disgruntled employee to do great damage could still exist because layers of access could still exist for days or even longer deep within customized IT systems.”
One possibility to combat the problem of containing employees’ access to sensitive cardholder data is to automate processes and ensure that employee-data access is based on job roles. “Automation and role-based access controls make it much easier for organizations to stay on top of this, but such systems require up-front investment, and that is tough for a lot of companies during this economy,” Laliberte says. Still, the investment in automated data-access systems may be worth the trouble in the long run, compared with the costs of an unauthorized data breach, he says.
What do you think about this? Send us your feedback.
