The recent data breach at Sony has triggered another round of debate on third party data security. While it is all fine looking at the Payment Card Industry Data Security Standard (PCI DSS), classic common sense at the very least must have prevailed.
What would a corporation or a person do in a most reasonable manner when in procession of third party data?
a. Safe guard the data: By far the simplest. This can be accomplished by encrypting with strong keys and keep the keys in a separate database. So if compromised the data and the key are not found together. Will one leave the key inside the key
hole after locking?
b. Logically split the data based on the criticality of data elements: I mean the CVV number and the card number must never be in the same data base. Strong algorithm will link the data when accessed from application front end legally. Make sure
the labels are not indicative.
c. Segregate data based on frequency of usage: I am confident of the 20 plus million pieces of information more than half would not have been used in the last 6 months.
d. Delete the data that is critical critical: This is a good practice to follow, Have all the details that even if compromised will have low impact. Start with the assumption that data will be compromised. After each transaction wipe out the
e. Terms of usage: When requesting information from an online client, ask if it is for one time use. If so after authentication and authorization of the one-time transaction delete the data.
f. Mobile wallet: encourage frequent users to buy a mobile wallet. Delete all card information after authorization.
A company such as Sony it is expected will have checks and measures against data compromise. Will Sony come out with a new game ‘Catch the Breach'? .