Global Corporation Secures Data and Meets PCI Compliance Goals
PKWARE's data-centric approach to security helped one of the world's largest companies secure millions of unprotected files before a critical compliance audit. Here's how it happened.
The acquisition and the audit
A global corporation had just completed its acquisition of a smaller company, and was preparing for a PCI DSS audit of the new business unit’s systems and processes. The organization’s audit and security teams were concerned about the possibility that credit card numbers and other forms of sensitive data had been stored without appropriate protection.
An unsustainable risk
PCI DSS requirements call for credit card information to be encrypted in transit and at rest. The corporation could ensure compliance for card data in its structured data environment, but unstructured data was another story.
Internal audits conducted after the acquisition revealed that some employees were storing unencrypted credit card numbers on their computers. Employees of the recently-acquired company had extracted the card numbers from databases and saved them in spreadsheets, documents, and other file types.
Security administrators could not determine how widespread the problem was, because they lacked visibility into the files that were being stored on employee desktops and laptops (and being synced to the cloud). The only way to find files that posed a compliance risk was to conduct a manual audit of each employee device—an approach that would be prohibitively costly and time-consuming.
However, the company could not leave the situation unaddressed. If the upcoming PCI audit revealed the presence of unprotected credit card numbers, the failure could lead to a series of negative consequences, including fines, industry sanctions, reputational damage, and disruptions in critical operations.
Automated Data Redaction from PKWARE
The company needed a solution that could provide visibility into files saved on employee computers, and could protect and remediate data that was being stored inappropriately. Most of the available products provided only one capability or the other, but implementing two new solutions—one to scan data and another to remediate it—would drain resources and increase the risk of an audit failure.
The organization had been using PKWARE solutions for data compression and encryption for years, and began to evaluate PKWARE’s automated data redaction technology. PKWARE was quickly identified as the preferred solution because it combined all of the capabilities the company required:
- Continuous scanning of new and modified files to determine whether the files contain credit card numbers.
- The ability to redact digits from credit card numbers while leaving other file contents unchanged.
- An automated workflow that requires no manual intervention by administrators or end users.
- A centralized control panel that allows administrators to define policies, deploy agents, and monitor activity in real time.
Security administrators deployed PKWARE’s redaction software on 30 employee desktops and laptops as a pilot implementation. The results were alarming: on those 30 computers, PKWARE detected 4,100 files containing more than 74 million credit card numbers between them.
Having determined the severity of its risk, security administrators deployed PKWARE’s automated data redaction solution on each of the newly-acquired company’s laptops, desktops, and file servers—thousands of devices in all. PKWARE automatically detected and remediated millions of files containing credit card numbers, eliminating an otherwise unmanageable risk. Following the deployment of PKWARE Data Redaction, the company achieved 100% compliance on its PCI audit.
The organization’s IT executives were highly impressed with PKWARE’s ease of deployment and unmatched capabilities. Shortly after deploying PKWARE’s automated data redaction solution within its payment processing business unit, the company made the decision to expand its installation, deploying the software on hundreds of file servers and more than one hundred thousand laptops and desktops across the enterprise.
With its automated redaction solution in place, the corporation is able to take thousands of devices and millions of files out of scope for its PCI audits, simplifying its compliance efforts and maintaining the security of its customers’ data.