The credit card is the undisputed king of retail. According to the British Retail Consortium’s 2013 Payments Survey, card payments accounted for 71 percent of retail sales value in the UK last year. Estimated fraud losses on UK cards (excluding online) totalled about £345 million for the same period, according to Financial Fraud Action UK (FFA UK). Retailers must comply with the card industry’s PCI DSS standards, and simply being PCI DSS compliant (or thinking you are) is probably not enough.
Consider a department store that has updated its transaction processing applications to comply with PCI DSS requirements. All transactions – new and older – are secure and compliant, but, certain merchandise returns stored as digital images of the original receipt could include the credit card that was used, and the customer’s driver’s license or other ID. These digital “photocopies” are likely stored in folders on a server and in a running spreadsheet.
In a PCI audit, the store can show that data for new transactions is secure, but can’t prove that all PCI-relevant data is equally secure. As a result, the company must either shut down the server, or manually review its entire contents and implement appropriate controls.
The fundamental aspects of compliance are the same regardless of industry or industry-specific regulations – enforcing compliance on unstructured data (documents, PDFs, spreadsheets, etc.) stored on SharePoint sites, NAS devices, file servers, etc., through access control, the separation of duties, and the ability to audit. Different industries might use different terminology, but all regulations require these three things:
1. Access control – ensuring that access is given only to those who are supposed to have it. Employees who store unstructured data on sites like SharePoint and Dropbox can accidentally create sensitive content outside of the business systems when they merge data from different departments on these sites.
2. Separation of duties – ensuring there are no conflicts of interest, or too much power and knowledge in any one party’s hands. This is very similar to access control, but is more about who should be able to access what types of data.
3. Audit – proving that access control and separation of duties are in place and rules are followed. Perhaps the biggest challenge to data governance is finding all the data that actually needs to be governed. If you don’t know what data is out there, which of it needs to be secured and how vulnerable you are to risk, you can’t prove compliance to an auditor.
What could the department store above have done differently? Solutions are available that help discover and classify data, evaluate the associated risk and point out where sensitive information is inadequately secured. The store also could proactively establish the correct rights for users, and restrict access in the same processes that grant rights across all other systems.
An IT department must combat myriad threats to the company data, and meet multiple compliance regulations and internal policies, as well. The right technology choices will provide much needed data governance.