A great deal of businesses are hearing the benefits of pushing all their compliance duties to 3rd parties. The trend is greatest with merchants exploring end point Point of Sale Devices. They may achieve this through tokenization or proprietary encryption methods. Whether it is format preserving encryption (FPE) or an entirely new approach, there remains several important truths that must be understood and managed.
Paying for an end point device does not remove the duty of the business to ensure card holder data (or any other type of sensitive data) is secured and protected necessary to the unique risks of the organization. It does place much of the operational duties upon the service provider, but the management remains a critical part of the process. In fact, most would argue it is the people and process that truly make the difference. (This has been highlighted in recent data breach notifications)
So what are somethings to consider?
I prefer to break down these requirements into strategic components that represent an intent by professionals and business owners to secure and maintain a integrity within the operations. I welcome additional thoughts and direction.
- Identify – sensitive data requires a thorough assessment of the organization’s people and process to locate the pathways of, in this example, Card Holder Data. The pathways provide direction at the system level, and allow for creating work flows to improve, restrict, and eliminate. It is key to maintaining a sensitive data program to consider where the data resides, and to leverage mini-assessments to ensure future states match the compliant state of the organization.
- Verify – Assurance that data has been restricted and eliminated by incorporating a third party provider is only fruitful if the card holder environment is truly managed. This also includes the service providers systems – backend and frontend. Security specialists must verify on an ongoing basis (consider adding to the corporate patch management process) that these systems are operating securely and in a compliant fashion – today and tomorrow.
- Control – When operations occur there are business cases that suggest a need for access to sensitive data. In these instances, alternative approaches should be examined. Creating exceptions will expand the necessary security control vigilance required – even in an outsourced FPE environment.
Additional thoughts and approaches?