• What is PCI compliance?
  • Critical requirements of PCI compliance
  • Problems that companies experience in PCI compliance
  • Introduction to Google Apps
  • Requirements that organizations fail to meet and how Google Apps can help

What is PCI compliance?

PCI compliance refers to a set of security standards created by the payment card industry (PCI) for organizations that handle payments from the major credit card companies, including VISA, Mastercard, American Express, Discover, and JCB.  The PCI Data Security Standard (PCI DSS) was created by the PCI Data Security Council, an organization established by the major credit card companies themselves in 2006 but which operates independently of these companies.  The purpose of the PCI DSS is to prevent data loss and credit card fraud that could result from leaked data.

Critical Requirements of PCI

As currently configured, the PCI DSS includes six so-called “control objectives”, which are implemented through one, two, or three specific requirements that meet those objectives. In all, there are twelve specific requirements. The six control objectives and twelve main requirements have remained the same since the creation of the PCI DSS in 2006.

Challenges Faced by Organizations in Achieving PCI Compliance

All organizations processing credit card information have a difficult and critically important obligation to maintain the security of that information.  The risk of data loss and credit card fraud are great and widely publicized.  Large credit card data leaks have occurred at major retailers and other companies, including Target, Sony, Home Depot, Staples, KMart, Adobe, Neiman-Marcus, Michael’s, P.F. Chang’s,  and LivingSocial, to name a few.  An especially large data breach involving some 130 million occurred at Heartland Payment Systems in 2009.

Introduction to Google Apps

Google Apps is a suite of cloud computing tools designed for both business and personal needs, providing capabilities for productivity, document creation and management, collaboration, communication, and social interaction.  Google Apps includes the web applications Gmail, Google Drive, Google Docs, Google Calendar, and Google Hangouts.  Google Apps for Business provides a secure alternative for document management that has been well proven, allowing businesses to conduct most computer-based work and transactions using Google Apps cloud services.

Approximately 60% of Fortune 500 companies now use Google Apps, and Google Apps has been adopted widely by companies handling sensitive information, including credit card information, as well as health and legal information.

Three Requirements That Organizations Fail to Meet and How Google Apps Can Help Meet Them

There are many important ways in which organizations must comply with PCI DSS standards but where they all too often come up short.  For most companies, Google Apps can provide a way to meet these requirements more efficiently and reliably.  Here is a list of three important requirements for PCI DSS security that companies are sometimes failing to meet and the ways in which Google Apps can help to meet them.

#1: Protect Cardholder Data

Google’s official stance on PCI DSS data is that Google Apps was not meant to process or store credit card transactions.  However, two Google Apps that could be used or misused in transmitting or storing PCI DSS data are Google mail and Google Drive.  Sensitive data that may be used temporarily could be stored on Google Drive or even transmitted through Google Mail. Protecting cardholder data involves both protecting any data that may be stored and ensuring that only data that must be transmitted is transmitted (and that it is always encrypted).

Storage.  PCI DSS data that may be received by an organization in Google Apps could in theory be stored and managed in a couple different ways.  Information that is copied into Google Drive will remain indefinitely, until it is manually deleted by the user or an admin.  To comply with rules that limit the retention of PCI DSS data, these data should either not be stored on Google Drive or their retention should be carefully managed.  Third party software may help with the management of such data.

For the retention of email and recorded chats, Google Vault allows tailored management of retention rules by user or group.  Google Vault is specifically designed to enable management of information that is sensitive to the company and can easily be employed to manage compliance.

Transmission.  Unwanted or accidental transmission of credit card and other information can be controlled through the Google Admin console.  Log in to the Google Admin console and select Apps > Google Apps > Gmail > Advanced settings.  Select the organizational unit to which the settings should apply, and add settings to prevent the sending of emails with credit card numbers or any other sensitive information.  Settings can identify unambiguous patterns, such as credit card numbers.  For messages containing sensitive information that need to be transmitted, Settings will allow you to require secure transport or to remove attachments automatically.

#2: Implement strong access control measures

Google Apps allows the admin to define access to specific Google Apps and files for specific users and organizational units.  In general, PCI DSS compliance is best achieved by limiting access to data on a need to know basis, where only those entities who require access to carry out company business are granted that access.

#3: Regularly monitor and test networks

Along with establishing clear guidelines for access and ensuring that access is limited to those with demonstrated need, it is also important to regularly monitor and test the system as a whole to avoid any problems that could arise from glitches or oversights.  The Admin Audit Console log will provide a record of all admin changes made and who made them, to allow company managers to monitor activity as a whole and double check that procedures mandated by the company are being properly executed. Google Apps and third party apps provide effective real-time monitoring solutions to track and monitor cardholder data. The capabilities of these apps in providing monitoring solutions can immensely support monitoring logs and enforce restrictions.