Beyond Regulation: Securing Sensitive Data in a Shifting Landscape

As new devices emerge, enterprises and security vendors alike must find innovative ways to protect sensitive data and comply with regulations. 

As security threats increase and become more sophisticated, organizations face pressure to implement strong processes and technology solutions to ensure compliance and the safety of critical assets. The risks associated with a data breach can be devastating, regardless of whether it is due to a simple mistake, or a stolen end-point device such as a laptop. The impact goes beyond fines and lost revenue, to negatively impacting an organization's brand identity and equity, or jeopardizing customers' trust.

The PCI Data Security Standards Council (PCI DSS) is one of many global organizations concerned with protecting individual's privacy and personal information. PCI DSS Council is "an open global forum for the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection." Their mission is to enhance payment account data security by fostering broad adoption of the PCI Security Standards. The council issues security compliance requirements to merchants that process, store, or transmit cardholder information. The PCI DSS v1.2 first published in November 2008 contains a set of requirements for credit card merchants. Specifically, the PCI DSS objectives ensure that compliant organizations build and maintain a secure network; protect cardholder data; maintain a vulnerability management program, implement strong access control measures, monitor and test networks, and maintain an information security policy.

Version 2.0 of the PCI DSS standard went into effect earlier this month.  The updated standard provides greater clarity, as well as aligns with industry changes and best practices. 

PCI DSS Council has published the following highlight table:

Clarification: Modification that clarifies intent of requirement; ensures that concise wording in the standards portray the desired intent of requirements

Additional Guidance: Provides further information on a particular topic to increase understanding of the intent of the requirement

Evolving Requirement: Requirement outlining situation not addressed in a standard; ensures the standards are up-to-date with emerging threats and changes in the market.

Requirement Impact

Reason for Change

Proposed Change



Clarify Applicability of PCI DSS and cardholder data.

Clarify that PCI DSS Requirements 3.3 and 3.4 apply only to PAN.

Align language with PTS Secure Reading and Exchange of Data (SRED) module.


Scope of Assessment

Ensure all locations of cardholder data are included in scope of PCI DSS assessments

Clarify that all locations and flows of cardholder data should be identified and documented to ensure accurate scoping of cardholder data environment.

Additional Guidance

PCI DSS Intro and various requirements

Provide guidance on virtualization.

Expanded definition of system components to include virtual components.

Updated requirement 2.2.1 to clarify intent of "one primary function per server" and use of virtualization.

Additional Guidance


Requirement 1

Further clarification of the DMZ.

Provide clarification on secure boundaries between internet and card holder data environment.



Requirement 3.2

Clarify applicability of PCI DSS to Issuers or Issuer Processors.

Recognize that Issuers have a legitimate business need to store Sensitive Authentication Data.


Real-Time Challenges to the Enterprise

Despite the best efforts of standards committees to provide guidance towards protecting sensitive data, innovative approaches to securing critical assets are the job of security vendors and the organizations deploying them. As new advances emerge, this becomes a daunting task. Take, for example, Apple. Apple's iMac and iBrethren have made significant in-roads in the corporate enterprise. According to NPD, Apple's 2010 U.S. market share for notebooks is 14.3% and its market share for desktops is 10.4%; quite impressive considering their market share was less than 5% just 4 years ago. The Enterprise Desktop Alliance recently reported that two-thirds of large organizations expect to increase the number of Macs. Interestingly, security and file sharing emerged as leading issues for integrating Macs among the same respondents.

Apple mania continues in the enterprise. In fact, a significant portion of the iPad's initial wave of three million units sold was ordered by enterprise buyers in the health care sector, finance industry and by government agencies.  Businesses are interested in Apple's iPad, whether as a laptop replacement for busy executives, a tablet for doctors accessing electronic medical records or a customer interaction tool for retailers. Apple CEO Steve Jobs said of iPad's business momentum: "it's being grabbed out of our hands." 

iPhones and iPads provide unprecedented ease of use, appeal, portability and can manage the most valuable data for their owners.  Unfortunately, iPhones and iPads do not currently (as of iOS 4.0.1) have internal encryption, or APIs that enable security constructs similar to those available on the Windows or the OS/X platforms. Therefore, control of sensitive data must be performed at the transfer and synchronization point, whenever possible to satisfy compliance regulations. Failure to restrict the transfer of sensitive data to those devices, or protect it in an appropriate manner may result in a data breach. As the workforce continues to rely on and expand its use of iPads, mobile devices such as smart phones and laptops, opportunity for data leakage of sensitive information increases. 

Security Vendors Need to Address Current Endpoint Trends

 Securing endpoints - without impacting employee productivity and system performance - demands a highly-flexible solution that takes into account the dynamics of real-world work environments. It's difficult for the enterprise, because many end users view external devices and outbound communications as personal, and view encryption of any kind as a headache - often balking at and circumventing imposed security measures. As a result, today's data protection solutions need to be transparent without compromising the data security within an organization. The goal is for security vendors to provide solutions that protect sensitive data as endpoint technology advances. For example if a smartphone is attempting to access sensitive data, the security solution should block it transparently without disrupting the user's experiences.  A security administrator should have the capability to allow synchronization of email, tasks and contacts, but block synchronization of all files that contain financial data, or more than three personally identifiable information records to the iPhone and iPad. Another example is allowing employee devices to charge through USB, but block ANY synchronization.

While the recommended policy in most cases would be blocking transfer of sensitive data, even monitoring of those transfers and accurate logs of the transferred data will help catalogue the lost data in the event that the device is lost or stolen, and will go a long way toward limiting the organization's exposure. More tools such as detailed logging capability creates an audit trail that can prove which sensitive files were on a lost USB device, or better yet, block those files from being transferred to a non encrypted device such as an iPad in the first place.

With the advance of technologies such as smart phones, implementing effective endpoint data protection remains an uphill battle for most organizations. Forward-thinking security vendors must lead the charge in providing powerful, enforceable, tamper-proof security that effectively supports rapidly advancing technology innovations while assisting the enterprise conform to compliance regulations.