Removing credit card details from legacy data

I found my own credit card details in our corporate system!

Have you ever been at work, looking through company documents and found sensitive information that shouldn’t be there? Or worse, have you ever found your own credit card details in the system?

That’s what happened to an employee of a client of ours. Let’s call her “Sally”. Understandably, Sally was more than a little bit peeved. First, she was upset that her council had not protected her personal data. And second, she was embarrassed that council’s processes had failed to properly protect community member data too.

Obviously, the first question Sally asked was ‘How did this happen?’, quickly followed by ‘What are we going to do about it?’.

How did this happen?

There are several possible reasons why this kind of thing happens, but the primary culprit is usually legacy processes.

Remember the good old days when companies got you to put your credit card details on a paper form that they then kept on file. Nowadays, most councils redact this sensitive information from the documents they keep on file or have processes in place to avoid the capture of this data altogether.

When Sally spoke with her Governance team at Council about this issue, they found that processes were in place to stop new credit card details being stored in their corporate systems, but legacy data hadn’t been checked.

So, when Sally’s credit card details were saved into Council’s document management system over 5 years ago, the new data capture and protection processes weren’t in place.

What are we going to do about it?

In this instance, Council ran a system search to find out how many other credit card numbers they had stored, unprotected in their systems. They quickly realised that the issue was bigger than they could handle themselves, and that they needed external help to resolve it.

That’s when Council approached Redman Solutions to help them develop a solution. In partnership with our council client, we developed a software solution that can search various corporate systems (including document management and email archiving), identify documents containing sensitive data, redact that data and then replace the original unprotected document with the secure redacted document back into the EDMS - in bulk.

In addition to removing and redacting the sensitive data for several systems, Council’s Governance Team launched a program to ensure regulatory and compliance requirements were being met (i.e. PCI-DSS compliance). Part of this program also involved reinforcing their culture of accountability and responsibility for managing and protecting sensitive data across the organisation.

How can Redman Solutions help?

Redman Solutions provides this solution as an on-premise service, which can remove credit card numbers, in bulk, from your legacy data. To date, Redman Solutions has worked with councils to scan 265,269,070+ items across 16 different systems and redact 269,968+ documents containing sensitive data.

If your council has had past processes that involved collecting credit card numbers, let us help you remove those potential hidden risks for you in one clean process. Find out more here.

We’d also like to refer you to the PCI Security Standards Council Quick Reference Guide which outlines the steps your council would need to take in order to comply with the PCI-DSS Standard, including:

  1. Choosing a Qualified Security Assessor

  2. Choosing an Approved Scanning Vendor

  3. Scope of Assessment for Compliance

  4. Using the Self-Assessment Questionnaire (SAQ)

  5. Reporting