As the requirements of an increasing variety of risk, conduct, transparency, and technology standards grow to exabyte scale, financial services firms and regulatory agencies are struggling with new compliance challenges, particularly as they relate to balancing data administration cost and complexity, data-intensive operations, and the value of insights that can be gained from such large, rich datasets.
In the credit card industry, the primary goal is ensuring that cardholder data is properly secured and protected and that merchants meet minimum privacy levels when storing, processing, and transmitting this data. The Payment Card Industry Data Security Standard (PCI DSS) was formalized as an industry-wide standard in 2004, originating as separate data security standards established by the five major credit card companies: Visa, MasterCard, Discover, American Express, and the Japan Credit Bureau (some of whom are Cloudera Enterprise customers).
The most straightforward way to comply with the PCI DSS requirement to protect stored cardholder information is to encrypt all data-at-rest and manage the encryption keys away from the protected data. However, the security standards have historically required specialized software, which, at times, has failed to fully prevent infiltration by nefarious actors. In the event of a security breach resulting from non-compliance, the breached organization could be subject to stiff penalties. In recent months, cases of fraud related to credit card data security breaches have not only led to fines, but also to consumer mistrust and sharp declines in revenues for the merchants managing the point of sale.
Table Stakes: Encryption for Payment Data
As Apache Hadoop becomes the de facto data management solution for payment processors who want to keep much of their data online, an enterprise data hub featuring Cloudera Navigator—the first fully integrated data security and governance application for Hadoop-based systems—is the only Hadoop platform offering out-of-the-box encryption for data-in-motion between processes and systems, as well as for data-at-rest as it persists on disk or other storage media.
Within the tool, the Navigator Encrypt feature is a transparent data encryption solution that enables organizations to secure data-at-rest in Linux. This includes primary account numbers, 16-digit credit card numbers, and other personally identifiable information. The cryptographic keys are managed by the Navigator Key Trustee feature, a software-based universal key server that stores, manages, and enforces policies for Cloudera and other cryptographic keys. Navigator Key Trustee offers robust key management policies that prevent cloud and operating system administrators, hackers, and other unauthorized personnel from accessing cryptographic keys and sensitive data, which is essential to PCI DSS Version 3.0, enacted in January 2014.
Navigator Key Trustee can also help organizations meet the PCI DSS encryption requirements across public networks by managing the keys and certificates used to safeguard sensitive data during transmission. Navigator Key Trustee provides robust security policies—including multifactor authentication—governing access to sensitive secure socket layer (SSL) and secure shell (SSH) keys. Storing these keys in a Navigator Key Trustee server will prevent unauthorized access in the event that a device is stolen or a file is breached. Even if a hacker were able to access SSH login credentials and sign in as a trusted user, the Navigator Key Trustee key release policy is pre-set to automatically trigger a notification to designated trustees requiring them to approve a key release. If a trustee denies the key release, SSH access is denied, and an audit log showing the denial request is created.
With Navigator Encrypt, only the authorized database accounts with assigned database rights connecting from applications on approved network clients can access cardholder data stored on a server. Operating system users without access to Navigator Encrypt keys cannot read the encrypted data. Providing an additional layer of security, Navigator Key Trustee allows organizations to set a variety of key release policies that factor in who is requesting the key, where the request originated, the time of day, and the number of times a key can be retrieved, among others.
Cloudera Navigator and an Enterprise Data Hub
Regulatory compliance, data security, and systems governance should be seen as table stakes for any Big Data platform. The enterprise data hub was designed specifically as an open and cost-effective means to respond to stricter regulations while removing the opportunity cost to more advanced capabilities. As you comply with the stringent regulations governing data for the financial services industry, that data remains available and active with full management and security so that it never has to be archived, siloed, or duplicated, and it can be integrated with your preferred analytics tools, at scale and without friction.