Protecting PANs: What Payment Service Providers Need to Know

By Anna Russell, VP at comforte AG

 Payment systems are complex as they connect and combine various networks and endpoints, from transaction logs to ATMs. They are essential for storing and processing payment card information, sensitive data and primary account numbers (PANs) across multiple locations. Then you have transaction log files and cardholder files which share sensitive datasets across numerous applications, from fraud detection systems to analytic programs. Given the vast range of cardholder data, and the many places it is kept, sent, and processed, it is no surprise that PCI DSS stipulates that PANs must be unreadable wherever they are stored. This can be complicated, especially as data is so dynamic, so how can organizations meet this difficult requirement?

Issues with traditional data security perimeters        

Traditional security perimeters are becoming increasingly entwined with hybrid applications, as data is migrating from internal databases to the cloud or third-party applications. These complex networks make it hard to protect PANs because visibility is not assured when it comes to third-party providers. The growing sprawl of data across multiple platforms means that businesses are expected be all the more vigilant when it comes to customer data.

This is not to say that companies are leaving treasure troves of sensitive data unprotected. Generally, there are several traditional security measures in place to protect customer data. The first line of defence is often the perimeter. However, even the greatest of perimeter defences may simply present a speed bump to a determined and experienced cybercriminal. Furthermore, the boundaries of traditional perimeters are obscured by evolving storage methods, making it difficult to pinpoint where data originates. Data is perpetually being created from multiple points, superseding hard perimeters and dispersing controls throughout organizations. This makes PCI DSS compliance challenging as data is constantly being introduced, stored, and moved across multiple touchpoints; yet it must be safeguarded at all times.

Within traditional perimeter defences, most companies deploy multiple security products to protect against malicious software. However, software is evolving all the time, and if your systems and applications are not promptly patched, then it could have dangerous consequences. Furthermore, on many occasions cybercriminals  have bypassed traditional perimeter defences and gained access to sensitive data without setting off any alarms. That is part of the reason why the average breach isn’t identified until 279 days after the fact. This means that there must be more intrinsic controls in place to protect sensitive information.

Another wrench in the works is the introduction of bring your own device (BYOD) policies. This makes it difficult for security teams to patrol all the devices within their network. By allowing unmonitored devices into your network, you increase the likelihood of a breach occurring from within. To counteract this, many companies are deploying identity and access management (IAM) processes to determine who is accessing applications. This restricts access to a ‘need to use’ basis, ensuring that sensitive data can only be viewed when it is essential to do so as is required by PCI DSS.

Often, the final level of protection is monitoring. This gives security teams insight into what is happening in the network, prompting action if there is any suspicious activity. When combined with IAM this may provide a comprehensive approach to data protection because suspicious activity can be linked to specific account, identifying users that are accessing data they shouldn’t be. However, this assumes that fully provisioned employees are inherently benevolent. On the other hand, even trusted workers can unintentionally facilitate a data breach. These vulnerabilities are known as insider threats and they can be difficult to predict due to the unpredictability of human nature. Indeed, an insider can be every bit as detrimental as an experienced cybercriminal.

What is the solution to protect sensitive data?

Despite the extensive security parameters being deployed, the amount of fraud that occurs suggests there is a need for more comprehensive security approach. Indeed, according to a 2019 study conducted by the Ponemon Institute spanning 16 countries, the average data breach affects 25,575 records, proving that deploying a data-centric mindset is essential (especially as each record carries an average cost of $150). As mentioned above, the average time to identify and detect a breach is 279 days. This is plenty of time to access, steal, and sell sensitive information without a trace, thereby enforcing the notion that companies shouldn’t cut corners when it comes to protecting data.

With this in mind, it is no surprise that the Payment Card Industry expects businesses to protect customer PANs. PCI DSS isn’t a heavy-handed bureaucratic trap designed to slap sanctions on businesses, but a set of guidelines to improve both security and customer relations. Indeed, breaches don’t just cause damage in terms of incident handling, but also brand reputation. If you lose customer data, they will lose faith in you. Therefore, companies should endeavour to comply with PCI DSS. There are several ways that businesses can maintain compliance. Requirement 3.4 specifies that data can be protected with tokenization, truncation, or encryption with proper key management. Furthermore, Requirement 4 calls for similar measures to protect data being transmitted over public networks.

Of the above methods, tokenization is swiftly emerging as a best practice for protecting PANs because it replaces the original data with a surrogate (token) value. Therefore, even if an attacker gets access to a tokenized PAN, it is useless to them. This addresses the root problem behind data breaches by removing the threat of breached cardholder data all together. If PANs are protected at all stages of their lifecycle, then even if there was a significant breach, customer information remains protected. Once hackers become aware that their efforts to circumnavigate perimeter controls result in nothing but useless data, then they will move on.