Photo source: anidirect.com
PCI Compliance and Data Security
A dichotomy exists between information and data – and the way that information and data are discussed, stored, protected, and used. Any number of people reading this might identify themselves as working with “Information Systems” in the field of “Information Technology,” and some of them work with “Information Security.” Sometimes they attend meetings and talk about “Information” and “Information Sharing.” But most often they are talking about “data” – data flows, data stores, data shares, data systems, data access, data security, and so on.
There is no need for a primer on the difference between data and information.
It is clear to the users of information that what they want is information. They may ask for data, they may seek so-called data points, but what they are really asking for is information. After all, information is useful; it makes the difference between decisions and informed decisions. And at the end of the day, the information systems people deliver information to decision makers. They store this information in their information bases. No, wait a minute – it is stored in databases. So what they are really working with is data?
Data becomes information when it delivers something meaningful to someone. We can take any block of data and extract from it an endless stream of meaningless information. An example is baseball. From data recorded from each game, we can extract the number of runs scored, the number of bases stolen, the number of games won at home, the number of games won away, the number of errors made in the last ten years – the list goes on to infinity. Who cares? Well someone at some point may care. Perhaps the real question is “Which was the best team last season?” Or perhaps “Who is the best player of all time?” Or any other question you could dream up. Regardless of the question, the fact remains that the person recording the plays and the scores at each game does not seek to answer these questions. He/she is simply collecting data and storing it for later use. What will it be used for – 50 years from now? Who knows? Who cares? For some just simply knowing that the players will be back on that field next season is good enough. In the meantime, just let our information people hold on to that data in a safe place so that it’s there when we need it, for whatever reason we might need it .
Now let’s say that some of that data is sensitive. Well, we should protect the sensitive data. Which data is sensitive? (I don’t know – it’s your database, you tell me) The sensitivity of the data will be determined by the sensitivity of the information that will be conveyed when it is accessed. Meanwhile, are you keeping your eye on the ball like a good player? Good – I just stole second base. Are you keeping your eye on second base like a good fan? Good – I just stole your hot dog from under your nose.
Regulation guides us to identify what data is sensitive. PCI DSS tells us to protect cardholder data. HIPAA directs us to protect health and medical information. Upper management decided that your customer list is private and must be protected from the competition. Everything else is not sensitive and need not be protected the same way.
Yet I know of a web-based charity that boasted of impenetrable cardholder data security. Indeed it was. But when credit card accounts were stolen from donors who made charitable contributions to the organization’s website, it was the customer contact list that was stolen, not the credit card database. Why go through all the trouble of hacking a secure database when you can simply telephone the donor and ask for it? They were just as willing to give it out over the phone, as they were online.
Information is pulled from an information system. When we know “What” information will be pulled, and when we know “How” that information is sensitive, then we know the sensitivity of the data from which that information came. If we don’t know the sensitivity of the information or how it might be used, then we don’t know the data. Since it is the job of information systems professionals to store all data holistically, then it is their job of securing all data holistically – not selectively.