Gary Palgon
Vice President, Product Management
nuBridges
Data Loss Protection or Data Leak Prevention (DLP) applications are often used to discover credit card and other personally identifiable information in enterprises. If you don’t know where sensitive data exists, how can you protect it?
Imagine this. Your company has migrated to a security model where tokens, or surrogate values, are spread throughout the enterprise instead of the actual values, say for actual credit cards. If the tokens are format-preserving and therefore resemble credit cards but are actually tokens, how will the DLP systems know that they are tokens and not sensitive data?
While the latest indications on the next PCI DSS standard will only have minor changes in it (see No major PCI DSS revision expected in 2010), Walt Conway pointed out in StorefrontBacktalk that there’s a real possibility that the PCI DSS standard may eventually will mandate automated cardholder data discovery.
We better get creative quickly to solve this one! Any ideas?
Until next time,
Gary
