Knowing where data resides leads to ways to protect it. Officials with W. Capra Consulting, Chicago, and Ricker Oil, Anderson, Ind., lay the foundation for such a review.
Payment
What: Credit- and debit-card numbers, including “track data” found on magnetic-stripe payment cards.
Where: Point-of-sale (POS), higher-end personal identification number (PIN) pads, electronic payment server (EPS) or forecourt controller, back-office computer, company network and central database or server. Other devices with connections to the network could also view data.
Ways to protect: Make sure all devices have application control capabilities to “white list” programs. This allows only predetermined programs to operate. Other tactics include data encryption and segmenting the payment network.
Loyalty, Marketing, Sensitive Data
What: Information collected to run loyalty programs and communicate special promotions or offers to issue company-branded credit cards and internal information on pricing, sales and strategies.
Where: POS, PIN pads, network, back-office computers, employee laptops and mobile devices and corporate servers.
Ways to protect: Firewalls, passwords, employee training, limited access and strong authorization processes in place. Protect data via encryption and employ automated solutions to monitor for intrusions or allow only certain programs to run.
Employees
What: Data needed to hire, schedule, train, review and pay employees.
Where: Back-office computers, network and corporate servers.
Ways to protect: Secure in the same ways as loyalty programs and business-sensitive data, implementing strong authorization models and strictly limiting types of information to those who absolutely need it.
Third Party
What: Information a third party, such as a loyalty-program provider, would hold regarding people’s personal data, including customer and employee information or sensitive data regarding company operations.
Where: On third-party computers, networks, devices and servers.
Ways to protect: Write contracts stipulating security requirements, ask for certifications, demand proof of security claims and use vendors with strong reputations for maintaining high security standards.
Sources: W. Capra Consulting Group, Ricker Oil Co.
Members help make our journalism possible. Become a CSP member today and unlock exclusive benefits, including unlimited access to all of our content. Sign up here.