©2014 Bitglass, Inc. www.bitglass.com

Phone: (408) 337-0190 - Email: info@bitglass.com    

Whitepaper

PCI Data Security Compliance & BYOD Employees use mobile devices in their personal lives because they are easy-to-use, anytime, anywhere. According to the Pew Research Center’s 2013 Internet & American Life Survey, smartphone adoption in the US crossed 50% of the adult population in 2013, increasing 10% each of the past three years. Enabling employees to access corporate email on BYOD, i.e., use their personal smartphones for work, offers significant benefits to businesses in the form of increased productivity and cost savings. But enabling BYOD carries increased information security risk, violating regulatory compliance. The Payment Card Industry adopted Version 3.0 of Data Security Standard (PCI-DSS) effective Jan 1st, 2014. Entities that store, process, or transmit customer payment card data must adhere to the latest requirements. Traditional security solutions are limited in their ability to enable compliance on BYOD due to inherent architectural challenges, requiring new technology to meet these needs for today’s enterprise.

Recommendations  for Compliance The conventional approach to securing mobile devices for compliance is to deploy Mobile Device Management (MDM) software agents on each device. MDM software is difficult to install and manage, particularly on BYOD devices that span a broad range of hardware and software platforms. While MDM solutions can detect “jail broken” iPhones etc., they can do nothing to

prevent the leakage of cardholder information to employee owned devices. Furthermore, organizations that plan to allow Android devices should be aware that a “jail broken” iOS device is essentially equivalent to an Android device and is a security risk only in that MDM agents fail to work on “jail broken” iOS devices. The following sections list

 

 ©2014 Bitglass, Inc. www.bitglass.com

Phone: (408) 337-0190 - Email: info@bitglass.com    

best practices for enabling BYOD in a PCI-DSS compliant fashion. 1. Protect Cardholder Data (PCI-DSS §3, §4) Cardholder data should be encrypted during transmission on open, public networks and protected when stored. In practice, downloading Cardholder data to a BYOD device violates the requirement that Cardholder data be protected when stored. Consequently, Data Leakage Prevention technologies should be deployed to redact or block mobile email and attachments containing Cardholder Data prior to download to BYOD mobile devices. Preventing the download of Cardholder Data to mobile devices is the single most important security measure we recommend.

2. Implement Strong Access Control Measures (PCI-DSS §7, §8) When enabling mobile email, ensure that mobile devices have strong PIN settings. This requirement is an added layer of security over and above the redaction of Cardholder Data described in the above section. If possible, restrict access to mobile email on a “business need to know” basis. 3. Track and Monitor All Access to Network Resources and Cardholder Data (PCI-DSS §10) Maintain auditable logs for mobile data access. Such logs should be easily searchable for the presence of Cardholder Data. Another important audit case is to identify the list of documents on a lost or compromised mobile device. Monitor all communication on BYOD devices, for data leakage and unauthorized access. Automated alerts for rogue usage are recommended. 4. Maintain an Information Security Policy (PCI-DSS §12) Developing, publishing, and educating employees on appropriate security measures, such as reporting lost/theft of mobile devices and not attempting to store or copy cardholder data onto local personal computers decreases likelihood of user error or intentional actions. 5. Respect Employee Privacy Employees expect privacy in their personal communications. Deploying a mobile security solution that infringes on employee privacy encourages employees to communicate via other channels, such as personal email, putting compliance at immediate risk.

 

 ©2014 Bitglass, Inc. www.bitglass.com

Phone: (408) 337-0190 - Email: info@bitglass.com    

Conclusion Enabling BYOD offers great productivity gains for enterprises, but risks PCI-DSS compliance. To ensure security and compliance, enterprises should choose a security solution that simultaneously satisfies two constituencies: the IT department seeking security and control, and employees seeking usability and privacy. To learn more, contact Bitglass (www.bitglass.com) for a free demonstration.

 

 ©2014 Bitglass, Inc. www.bitglass.com

Phone: (408) 337-0190 - Email: info@bitglass.com    

About Bitglass Secure Cloud & Mobile in Minutes

As enterprises adopt BYOD and cloud applications, IT is faced with securing corporate data that resides on

third-party servers and travels over third-party networks to employee-owned mobile devices. Existing security technologies are simply not suited to solving this task, as they were developed to secure the corporate

network perimeter. Adding to the challenge, employees have an expectation of privacy when using the same mobile devices and apps for work and personal use. Bitglass brings to market breakthrough technologies that

deliver the security and visibility IT needs to enable mobile and cloud in the workplace, while respecting user privacy. Bitglass was founded in 2013 by a team of industry veterans with a proven track record of innovation

and execution. Find us at www.bitglass.com or info@bitglass.com.