Blog | comforte

Data Discovery and Classification: The Critical First Step to PCI DSS 4.0 Compliance

Written by Samuel Smalling | Oct 31, 2024

Any organization storing, processing or transmitting cardholder data will be familiar with PCI DSS 4.0. In a world of escalating cyber risk and expanding corporate attack surfaces, the standard continues to evolve to enforce industry best practices and improve baseline data security.

To help them comply with these requirements, many organizations focus their technology investments on data protection solutions. But before protection must come powerful and continuous data discovery and classification.

Why do we need PCI DSS 4.0?

Card data is among the most sought-after by threat actors, because it offers an easy on-ramp to payment fraud. It’s part of the reason why financial services was among the top-two sectors in the US to suffer data breaches last year, accounting for nearly a quarter (25%) of data compromises in 2023. Over 353 million individuals were impacted by data breaches during that period, many of whom will have lost card data.

Against this backdrop, the payment card industry mandates organizations handling such data to action a strict set of requirements, to minimize the chances of a breach. PCI DSS 4.0 has 64 such rules, which range from multi-factor authentication (MFA) to strong encryption. Compliance isn’t only mandatory, it can help organizations escape major fines, while building much-needed customer trust.

You can’t protect what you can’t see

However, the first step to compliance is understanding exactly where card data is stored, processed and transmitted across the enterprise. For large organizations with siloed systems, complex hybrid cloud environments, multiple connected supplier systems, and huge volumes of card data, this is no easy task. And it is made that much harder by the dynamic nature of the cardholder data environment (CDE), with new data entering and exiting all the time.

In fact, a recent IBM study warns of the growing risk posed by so-called “shadow data”—that is, hidden or overlooked copies of data that sit outside the control of the IT department. It claims that the average cost of related breaches was $5.3m last year, over 16% higher than the norm, while incidents involving shadow data took 26% longer on average to identify and 20% longer to contain.

The key for organizations wishing to comply with PCI DSS 4.0 is therefore to understand at all times where their relevant cardholder data is, so they can ensure it is protected in line with the standard. Manual processes are simply not fit for purpose in such fast-moving, complex environments, containing potentially millions of records. Failure to discover and classify this data on a continuous basis could lead to non-compliance and expose the organization to breach risks. It could also increase storage costs and the risk of data proliferation.

How comforte works

This is where comforte’s Data Security Platform comes into its own. Its Data Discovery and Classification features leverage AI/ML to autonomously and automatically scan repositories looking for cardholder data. Whether it’s structured, unstructured or semi-structured data and residing in cloud systems or enterprise tools and apps, comforte will find it thanks to advanced matching algorithms and smart scanning capabilities.

comforte Data Discovery and Classification achieves more than 96% accuracy out of the box and upwards of 99% with tuning of false positives and negatives, to minimize the problems associated with legacy DLP solutions. Because it’s automatic, it reduces the workload on IT teams, while eliminating human error. And because it’s focused on finding critical data, the solution allows organizations to improve data minimization and reduce their storage costs. Visibility of data throughout its lifecycle means organizations can also assess whether there are any dangerous security gaps in their distributed CDE, which may impact PCI compliance.

PCI DSS may be non-negotiable, but full compliance rates are still far below where they should be. With a more effective approach to data discovery and classification, your organization can use PCI DSS compliance as a springboard to competitive differentiation.