The Payment Card Industry Security Standards Council (PCI SSC) continues to evolve its flagship data security standard. The latest version encourages complying organizations to move away from traditional, periodic audits to a process of continuous risk management and monitoring. Yet this is only going to get the desired results if those same organizations have a continuous, updated view of their own cardholder data environment (CDE).
This is where AI-assisted, automated data discovery can provide a major leap forward for banks, merchants and payment infrastructure providers.
A card payment explosion
The volume of sensitive card data managed by merchant, banking and payment firms continues to grow. In the first half of 2024, the number of card payments within the euro area increased by 10% annually to 40 billion, for example. Not only is there more data to manage, but it’s increasingly spread across more enterprise IT environments. Gone are the days when it could all be stored and managed on-premises. Today it’s more than likely to spend at least some part of the lifecycle travelling through public or hybrid cloud environments.
This complexity is amplified by the structure of some organizations, which may operate multiple subsidiaries with their own distinct governance or compliance approaches. And the prospect of merger and acquisition activity, which might introduce new data, systems and silos. Introduce complex supply chains, and you have a recipe for opacity which could quickly become a major PCI DSS compliance headache.
Time to rethink
With this in mind, it’s perhaps not surprising that many organizations suffer from major visibility gaps. One report claims that breaches stemming from this so-called “shadow data” could reach an average of $5.3m, over 16% higher than the norm. Such incidents apparently also take 26% longer to identity and 20% longer to contain.
That’s not all. Failure to comply with PCI DSS 4.0 could also mean $5-100K per month fines, and up to $500K per incident in penalties if non-compliance contributes to a data breach.
That’s why legacy data discovery technologies and processes simply aren’t fit for purpose. They take manual snapshots of the CDE which incurs high operational costs, while delivering incomplete coverage and limited business context. It could elevate breach and compliance risk as well as increasing storage costs and the risks of data proliferation.
Towards automated discovery
No organization can afford this. Instead, an AI-assisted solution like comforte Discovery and Classification delivers a continuously updated view of the CDE for high accuracy, low false positives, more business content and reduced operational costs.
It uses a unique passive network packet capture process to identify sensitive cardholder data flowing through the organization—identifying the databases, applications, file systems and log files where this data resides. It then performs a comprehensive scan on those locations, feeding the findings into a locally deployed analytical engine for automated classification and insights.
With this visibility, the organization can then classify the data and apply strong protection in line with policy and the requirements of PCI DSS 4.0.
Thanks to comforte Discovery and Classification, organizations benefit from:
- Consistent and continuous data protection and PCI DSS 4.0 compliance
- A highly automated process that frees up resources to work on higher value activities to grow the business
- API connectors to integrate seamlessly with other security and privacy tools, driving up ROI
- More than 96% accuracy out of the box, rising to 99% with tuning
- Enhanced support for data minimization
- Reduced storage costs
- The ability to assess where there may be control gaps in their CDE, which could impact compliance
comforte is offering your business a 30-day free trial of comforte Data Discovery and Classification, which features a new SaaS console manager. During the period, you’ll get a close-up look at how the product works in situ, and obtain a detailed understanding of where security and compliance risk exists across the organization. Most importantly, you’ll be able to see how the product could help to streamline your PCI DSS 4.0 compliance processes.
Get in touch today to start your free trial. We’re here to take the pain away from PCI DSS compliance.
