Thales eSecurity Blog

Leveraging PCI DSS Principles for General Data Protection

Ian Hermon
Ian Hermon | Product Marketing Manager More About This Author >

In the month of November, I wrote about the options available specifically to secure data as part of a PCI DSS compliance effort. In this blog, I explore ideas for how the technology in question can be leveraged effectively for much broader general data protection requirements that are equally important for a wide variety of organizations.

The benefits of thinking beyond PCI DSS

Any organization that is involved in transmitting, processing or storing cardholder data ultimately invests a lot of time and money (directly or indirectly) in building a secure infrastructure and supporting processes to meet PCI DSS security requirements. The primary focus of our recent eBook is to provide practical advice on making this effort as efficient and cost effective as possible. The PCI DSS is primarily concerned with the protection of cardholder data but that is only one specific example of sensitive or valuable data that an organization stores and which needs to be protected from inside or outside compromise or theft. Most data that is created, processed and stored by an organization has nothing to do with payments. However, it is very likely that some or all of it may benefit from similar levels of protection that is applied to cardholder data.

By thinking beyond what is being done to meet PCI DSS requirements, an organization can leverage those proven security principles to build additional solutions that support comprehensive protection of its critical assets.

Proven effective tools at your fingertips

By leveraging the encryption, access control/monitoring and key management technology that is being deployed as part of its PCI DSS compliance efforts, an organization could then start to deliver effective data protection in a variety of ways for its critical assets. Practical examples of what could be achieved include:

  • Encrypting all the network traffic inside the organization to ensure that only those who need to see the data can do so.
  • Protecting all data at rest across the whole enterprise by using encryption and/or tokenization and ensuring that only those who are authorized to decrypt that data have access to it.
  • Protecting all sensitive data at the point of capture (the point at which it enters the organization) by encrypting selected fields in the data record.
  • Keeping security under full organizational control by encrypting data and managing the keys locally before sending data to a third party cloud service provider.
  • Implementing a layered security approach so that the infrastructure doesn’t have a single vulnerable point of attack, which makes it much more difficult for an attacker (inside or outside the organization) to gain unauthorized access to sensitive data.

A good source for practical advice

Our solution page for PCI DSS provides lots of useful guidance and documents that you can download, specifically to assist with PCI DSS compliance. What you find useful there can be used to secure your other critical, non-payment data.

For more general information on encryption, access control/monitoring and key management, I recommend that you check out our various product pages:

  • Vormetric Data Security Platform, the comprehensive data security solution for securing sensitive data across servers spanning data centers, clouds, big data and container environments.
  • General purpose and payment HSMs which support hardware-based key management and application encryption.
  • Datacryptor 5000 range for robust, scalable hardware-based encryption of data in motion.