It’s fragile and should be earned, not freely given.
If your organization stores or processes customer credit card numbers, then you know something about this. PCI DSS has been around for a while and is meant to provide a certain level of trust between merchants and consumers – “I’ll give you my credit card number, but I trust that you will use it properly and protect it”. Is it perfect? Nope. Just look at the worst breaches so far for 2021.
It’s scary, frustrating, and costly. Companies spend billions of dollars to make consumers trust them. They invest in network security, they advertise, they try to reassure the public that it’s ok to trust them.
And then, in a heartbeat, news of a breach, and Poof! – trust is destroyed. Dollars and effort wasted, everything needs to be rebuilt. Brand recognition, history, all meaningless. There lies the true cost of PCI breaches.
Get to Know Your Unstructured Data
It’s no secret that the amount of unstructured data in the enterprise today has grown exponentially, making up to 80% of an organization’s data (we define “unstructured data” as information that resides in email systems and file repositories, either on-premises or in the cloud). Yet, over the past couple of years, as I have questioned people about this aspect of their enterprise data, every single one of them has admitted to me that they do not feel they have adequate knowledge and control of what is stored in there! Hence why we also like to call it “dark data”! (“Come to the Dark Side, we have data.”)
Regardless of the policies, your organization may have elaborated around security practices, humans will be humans. How can you be certain that no one is storing unencrypted credit card numbers somewhere? In a spreadsheet in OneDrive? In an email? On a network share?
Solution Paths to Prevent PCI Breaches
- You could index all your unstructured data – no matter where it resides – to easily search for credit card numbers (or any other sensitive info)?
- You could create a policy that would notify a compliance officer of any such instances on a regular basis?
- You could instantly remediate – automatically or manually – any such instances of non-compliance?
Would it help to build some trust? Learn more about our data classification tool.