Solved

Best ways to mitigate sensitive data loss if the data needs to be taken out for a business event

Posted on 2016-11-10
7
71 Views
Last Modified: 2016-11-11
We have a need to take out a list of customers' names, credit card# &  PII (Personally Identfble Info)
to a Lucky Draw event to validate customers identity who won the lucky draw when the customers
come forward to claim their prizes.  We can't cancel such an event nor post the reward to them.

However, this is against PCI-DSS (which we're certified).  So what's the best ways to take out these
sensitive data to the event?

a) for sure, printing them out on hardcopy papers is not safe in case the papers got lost so this
    should be disallowed

b) save these data on a secure laptop (where the HDD is encrypted, Wifi & USB port disabled )
    &  validate by viewing against the info in the screen : is this alone good enough?  I think it
    helps in the event the laptop got lost/stolen during the event, the encrypted HDD will mitigate

c) have IT security staff to escort the laptop during the event?  Is this needed?


Any other better options?

I thought of bringing a laptop that could VPN into the backend secure server to view the data
remotely but this is a bit too late to prepare for at this time but is this more secure than option
b above?
0
Comment
Question by:sunhux
7 Comments
 
LVL 35

Assisted Solution

by:Terry Woods
Terry Woods earned 150 total points
ID: 41882810
Can you salt and hash each value, so that when a verification is needed you get the value from the customer, add the same salt, hash it, and compare it with your list of hashed values?
1
 
LVL 77

Assisted Solution

by:arnold
arnold earned 70 total points
ID: 41882856
Along the suggested path above, you could use firstname, lastname, dob, use md5
Then use the provided info with md5 and match the string.

The other option is to have someone at work on duty, someone would call in to confirm.
All your list will have is internal identifier, first name, lastname. To avoid having the call overheard with identifying info, the caller will provide the internal identifier, and the other individual known info, dob, last four of cc if needed.
0
 
LVL 25

Assisted Solution

by:madunix
madunix earned 60 total points
ID: 41882865
1. Do not bring it
2. Perhaps a secure web location.
3. Bring it on a secure Notebook/laptop.  
4. Last resort a USB/Thumb drive.    
As always it depends on:  
A. The data.  
B. Why it needs to be brought to a event.  
C. How the data is being used at the event.   (Presentation, working session); Normally the use of statistics for display and fake data for demos is better
0
Free camera licenses with purchase of My Cloud NAS

Milestone Arcus software is compatible with thousands of industry-leading cameras for added flexibility. Upon installation on your My Cloud NAS, you will receive two (2) camera licenses already enabled in the software. And for a limited time, get additional camera licenses FREE.

 
LVL 62

Accepted Solution

by:
btan earned 160 total points
ID: 41883120
1. Account for the Personal data using your issued official notebook and do the VPN (2FA) instead. I supposed your notebook is protected since you are PCI certified. Ideally a clean notebook with USB and wireless disabled for the VPN. Disk HDD is minimally required. Bring along the cable lock.

2. Use encrypted thumbdrive which is 2FA protected. Information accessible after authentication check against a token or biometric. Make sure no other information inside.

3. Sanitised the personal data such that the NRIC reveal the last digit only, applies this for phone, credit card and identifiable fields. I will say you just need really the name and photo ID. This is to minimise (not totally avoid) exposure of the whole personal data set.

Do get the authorisation and signed off AUP for accountability as well as know the incident procedure in event of loss. Also note media statement is to be prepare for use in event of personal data loss.

I still see a clean notebook with VPN OS preferred. Otherwise hardcopy and you really keep constant sight of the copy and do not make duplicates. Have it watermark and sealed in envelope and shred it onve it ia not necessary for use. Have a criss cur shredder on site.
0
 

Author Comment

by:sunhux
ID: 41883220
It's not feasible to extract the photos from the system to match against the lucky draw winners'  :
presume you meant a photo ID is less likely to be fabricated.

I've checked with the business user & was told last few digits of the card and ID/NRIC is not good enough,
they need the full numbers.

Salting is feasible, just that need a salting/hashing tool to be installed on the laptop
0
 
LVL 62

Expert Comment

by:btan
ID: 41883317
User encrypted storage but I do preferred the notebook that can be cable locked. Lockdown the machine not to be connected wired or wireless. More of standalone.

You can do obfuscation if worry but password protect the document in zip or Veracrypt on top of the disk encryption.
0
 
LVL 28

Assisted Solution

by:jhyiesla
jhyiesla earned 60 total points
ID: 41883734
Perhaps I'm missing something, but if you're just trying to identify individuals when they come up for their prize, why not just take a list of names.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
MS-SQL 2008 Standard - define the security for internal data 4 54
Office 365 setting for security 4 62
Compromised PC? 17 169
Security training 4 56
Three simple tips to quickly and efficiently back up and protect the contents of your PC and Mac®.
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

914 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now