PCI's Data Mapping Plan Takes a Page from Hackers

Cardholder data continues to be a target for criminals and a major concern for all participants in the payments industry — consumers, merchants and financial institutions and processors. A new report from Javelin Strategy and Research concludes that a single massive data breach can result in billions of dollars in consumer fraud losses. A record number of breaches, 1,611, took place in 2012, a staggering 48% increase from 2011.

Information security services company Hold Security recently reported that limousine management software and services provider CorporateCarOnline was victim of a group of cyber crooks. The incident led to the compromise of roughly 850,000 names, addresses, credit card numbers and expiration dates, according to IT security blogger Brian Krebs.

In order to reduce a company’s liability and to protect consumer personal data, Payment Card Industry Data Security Standard 3.0 requires all companies to create a data flow diagram showing all the people, systems and applications that have access to cardholder data. This initiative was introduced after a hacker showed a color-coded scheme showing where sensitive data was stored at his targeted organization. In a recent interview, Troy Leach, chief technology officer of the PCI Security Standards Council, management at the organization commented, "That's amazing. Why didn't we have that?"

The mapping of application data flows has become more critical as today’s enterprise systems have become super-interconnected to other systems, both inside and outside of company walls, including on the cloud. PCI DSS regulations require companies to document how cardholder data is stored, processed and transmitted from one entity to another.

These data flow diagrams aren't trivial, and require organizations to do a full analysis of their systems and include all types of data pertaining to customers, users and suppliers. Firms must identify the level of security provided at each stage and if different data sets fall under PCI jurisdiction or the regulations of any foreign body. This information also needs to be overlaid with a diagram of severs on- and off-premise, and all mobile devices, including those owned by employees.

Since many of these changes impact organizations, the full change will not be put into effect until January 2015. However, given the fact that the full analysis of the data flow for credit data will require many hours, it is never too soon for organizations to start documenting how sensitive data moves through the organization.

Ronen Kenig is a vice president of at Herzliya Pituach, Israel-based Safe-T.