Any company wishing to accept card payments over the phone, in person, or online from the world’s biggest card schemes must comply with the Payment Card Industry Data Security Standard (PCI DSS). Lending and brokerage firms whose collection of sensitive credit card and personal information is a core part of their business operations are no exception.
Compliance requirements for lending and brokerage firms
PCI DSS is an international proprietary information security standard developed by the PCI Security Standards Council for organizations that handle cardholder information for the world’s biggest card schemes: American Express, Discover, JCB, MasterCard, and Visa. It was adopted by financial institutions worldwide as a general standard to help protect payment systems from breaches, fraud, and theft of cardholder data.
Noncompliance with PCI DSS comes with hefty fines of up to $100,000/month and increased transaction fees. But the biggest danger is the possibility of a company’s relationship with its bank being permanently terminated. Organizations can also be added to the Merchant Alert to Control High-Risk (MATCH) list, which means they would never be allowed to process card payments again.
Besides PCI DSS compliance, lending and brokerage firms need to be mindful of data protection laws such as the EU’s General Data Protection Regulation (GDPR), the Gramm-Leach-Bliley Act (GLBA), and the California Consumer Privacy Act (CCPA). These regulate the collection, processing, and storage of personally identifiable information (PII) such as names, addresses, and phone numbers and grant several rights to data subjects.
To meet compliance requirements and protect both credit card and personal information, lending and brokerage firms can turn to cybersecurity solutions. Companies can implement basic security measures such as firewalls and antimalware solutions to prevent malicious attacks. They can also turn to more advanced strategies such as the use of Trusted Platform Module (TPM) capabilities and the adoption of Zero Trust architecture.
However, that may not be enough to prevent a data breach. Traditional security strategies tend to address only external threats while ignoring security risks associated with insiders.
Here are our tips on how lending and brokerage companies can improve their cybersecurity strategies and address these often overlooked threats.
1. Monitor sensitive data
To better understand vulnerabilities in their data flow and check whether their security policies are being applied effectively, lending and brokerage firms can use data monitoring tools such as Data Loss Prevention (DLP) solutions.
DLP technology allows companies to track sensitive data through policies based on predefined profiles for specific data protection legislation and standards such as PCI DSS, GLBA, and GDPR or customized definitions based on company needs. Through them, organizations can easily identify any files containing sensitive data and their movements across the company network. They can also discover data exit points or employees who may bypass security policies to steal data or simplify their tasks.
By identifying bad data security practices among employees through data monitoring, organizations can better educate them in future training sessions by focusing on known risks. Monitoring can also help companies discover which employees require further training and which do not. In this way, they can prioritize education for those who need it and save money.
2. Protect sensitive data from internal threats
Monitoring and training do not eliminate the risks posed by internal threats. Insiders can also turn malicious and try to steal data for personal gain or because outsiders have compromised them. There is also no guarantee that even the most diligent employee will not have a moment of carelessness in which they send an email to the wrong person or hit reply all. While these kinds of incidents cannot be eliminated, sensitive data can be protected from them.
Lending and brokerage firms can apply DLP policies to not only monitor sensitive data but also prevent it from being shared via popular messaging apps such as Skype or Slack, via personal emails or cloud applications, or from being printed or copy-pasted in the body of an email. They can also search locally stored data and apply remediation actions such as encryption or deletion when sensitive data is found in unauthorized locations.
Some solutions, like Endpoint Protector DLP software, ensure minimal disruption to a company’s workforce through a flexible implementation of DLP policies. This means that it allows companies to set different rules based on groups, departments, individuals, or devices. In this way, employees working directly with sensitive data on a daily basis can be more strictly controlled without affecting overall employee productivity.
3. Control the use of removable devices
Removable devices are another common data exit point. In the past decade, USBs have been the root cause of massive data breaches. In recent years they have also become a popular malware infection tool. However, removable devices can also be useful tools for employees to easily transfer large amounts of data or take data with them when they attend off-site meetings.
Lending and brokerage firms can use DLP solutions to control the use of peripheral and USB ports as well as Bluetooth connections. Companies can choose to block removable devices altogether or limit their use to secure pre-approved devices. In this way, companies do not only ensure data security but can also monitor the use of removable devices and easily identify which sensitive data transfers were attempted by which employee at what time and using which device.
Frequently Asked Questions
The Gramm-Leach-Bliley Act (GLBA), also known as the Financial Modernization Act of 1999, is a US federal law that requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive information. Enforced by the Federal State Commission (FTC), the law consisting of three sections (Financial Privacy Rule, Safeguards Rule, Pretexting provision) applies to all companies that offer consumers financial products or services like loans, financial or investment advice, or insurance. Read more about GLBA.
PCI DSS protects two categories of data: cardholder information and sensitive authentication data. Cardholder data refers to information such as primary account numbers, cardholder name, card expiration date, and service code. Meanwhile, sensitive authentication data includes full track data (magnetic-stripe data or equivalent on a chip), PINs and PIN blocks, and card verification values (CAV2/CVC2/CVV2/CID). Read more about PCI DSS.
PCI DSS established four compliance levels for merchants. The level depends on how many card transactions per year a company processes: Level 1: Over 6 million card transactions annually. Level 2: 1 to 6 million transactions annually. Level 3: 20,000 to 1 million transactions annually. Level 4: Fewer than 20,000 transactions annually. Find out more about PCI DSS compliance.
Download our free ebook on
Data Loss Prevention Best Practices
Helping IT Managers, IT Administrators and data security staff understand the concept and purpose of DLP and how to easily implement it.