Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 105
  • Last Modified:

Best ways to mitigate sensitive data loss if the data needs to be taken out for a business event

We have a need to take out a list of customers' names, credit card# &  PII (Personally Identfble Info)
to a Lucky Draw event to validate customers identity who won the lucky draw when the customers
come forward to claim their prizes.  We can't cancel such an event nor post the reward to them.

However, this is against PCI-DSS (which we're certified).  So what's the best ways to take out these
sensitive data to the event?

a) for sure, printing them out on hardcopy papers is not safe in case the papers got lost so this
    should be disallowed

b) save these data on a secure laptop (where the HDD is encrypted, Wifi & USB port disabled )
    &  validate by viewing against the info in the screen : is this alone good enough?  I think it
    helps in the event the laptop got lost/stolen during the event, the encrypted HDD will mitigate

c) have IT security staff to escort the laptop during the event?  Is this needed?


Any other better options?

I thought of bringing a laptop that could VPN into the backend secure server to view the data
remotely but this is a bit too late to prepare for at this time but is this more secure than option
b above?
0
sunhux
Asked:
sunhux
5 Solutions
 
Terry WoodsIT GuruCommented:
Can you salt and hash each value, so that when a verification is needed you get the value from the customer, add the same salt, hash it, and compare it with your list of hashed values?
1
 
arnoldCommented:
Along the suggested path above, you could use firstname, lastname, dob, use md5
Then use the provided info with md5 and match the string.

The other option is to have someone at work on duty, someone would call in to confirm.
All your list will have is internal identifier, first name, lastname. To avoid having the call overheard with identifying info, the caller will provide the internal identifier, and the other individual known info, dob, last four of cc if needed.
0
 
madunixChief Information Security Officer Commented:
1. Do not bring it
2. Perhaps a secure web location.
3. Bring it on a secure Notebook/laptop.  
4. Last resort a USB/Thumb drive.    
As always it depends on:  
A. The data.  
B. Why it needs to be brought to a event.  
C. How the data is being used at the event.   (Presentation, working session); Normally the use of statistics for display and fake data for demos is better
0
Lessons on Wi-Fi & Recommendations on KRACK

Simplicity and security can be a difficult  balance for any business to tackle. Join us on December 6th for a look at your company's biggest security gap. We will also address the most recent attack, "KRACK" and provide recommendations on how to secure your Wi-Fi network today!

 
btanExec ConsultantCommented:
1. Account for the Personal data using your issued official notebook and do the VPN (2FA) instead. I supposed your notebook is protected since you are PCI certified. Ideally a clean notebook with USB and wireless disabled for the VPN. Disk HDD is minimally required. Bring along the cable lock.

2. Use encrypted thumbdrive which is 2FA protected. Information accessible after authentication check against a token or biometric. Make sure no other information inside.

3. Sanitised the personal data such that the NRIC reveal the last digit only, applies this for phone, credit card and identifiable fields. I will say you just need really the name and photo ID. This is to minimise (not totally avoid) exposure of the whole personal data set.

Do get the authorisation and signed off AUP for accountability as well as know the incident procedure in event of loss. Also note media statement is to be prepare for use in event of personal data loss.

I still see a clean notebook with VPN OS preferred. Otherwise hardcopy and you really keep constant sight of the copy and do not make duplicates. Have it watermark and sealed in envelope and shred it onve it ia not necessary for use. Have a criss cur shredder on site.
0
 
sunhuxAuthor Commented:
It's not feasible to extract the photos from the system to match against the lucky draw winners'  :
presume you meant a photo ID is less likely to be fabricated.

I've checked with the business user & was told last few digits of the card and ID/NRIC is not good enough,
they need the full numbers.

Salting is feasible, just that need a salting/hashing tool to be installed on the laptop
0
 
btanExec ConsultantCommented:
User encrypted storage but I do preferred the notebook that can be cable locked. Lockdown the machine not to be connected wired or wireless. More of standalone.

You can do obfuscation if worry but password protect the document in zip or Veracrypt on top of the disk encryption.
0
 
jhyieslaCommented:
Perhaps I'm missing something, but if you're just trying to identify individuals when they come up for their prize, why not just take a list of names.
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now