PCI: The ‘Non-Personal’ Personal Information

Cash is King! Well it used to be, but in a society evolving to be cashless, plastic is the new king. Credit cards have become the default purchasing method for both brick and mortar and online purchases. And unlike many other types of personal information, payment card data is not directly covered by federal or state privacy regulations. In most regulatory definitions of personal information there is a link between a person or individual and information about them. Credit card data is a bit different and controls focus on the transaction and storage of the data To protect sensitive credit card data the payment card industry  has adopted a self regulatory approach through the use of the PCI DSS standard. 

The PCI DSS payment card standard was created and is maintained by the PCI Security Standards Council. This is a global organization supported, enforced and maintained by members of the credit card industry. The PCI DSS standard focuses on the protections of the transactional payment card data. 

PCI DSS was developed to encourage and enhance payment card account data security and facilitate the broad adoption of consistent data security measures globally. PCI DSS provides a baseline of technical and operational requirements designed to protect payment account data. The credit card companies provide the protections and enforcement directly to their members. 

PCI Data Security Standard – High Level Overview

• Build and Maintain a Secure Network and Systems
  • Install and Maintain Network Security Controls.
  • Apply Secure Configurations to All System Components.
• Protect Account Data
  • Protect Stored Account Data.
  • Protect Cardholder Data with Strong Cryptography During Transmission.
• Maintain a Vulnerability Management Program
  • Protect All Systems and Networks from Malicious Software.
  • Develop and Maintain Secure Systems and Software.
• Implement Strong Access Control Measures
  • Restrict Access to System Components and Cardholder Data by Business Need to Know.
  • Identify Users and Authenticate Access to System Components.
  • Restrict Physical Access to Cardholder Data.
• Regularly Monitor and Test Networks
  • Log and Monitor All Access to System Components and Cardholder Data.
  • Test Security of Systems and Networks Regularly.
• Maintain an Information Security Policy
  • Support Information Security with Organizational Policies and Programs.

Although the PCI DSS standard does not include typical privacy concepts about individuals and their data, there is perhaps no information more impactful to the individual than their credit card data. For this reason credit card data is among the most sensitive data that some companies process. This sensitivity leads to the standard supporting many requirements about understanding the life cycle of PCI Data in an organization.

Understanding and mapping sensitive data is foundational to effective security, privacy, and compliance within an organization. Without clear visibility into what sensitive data exists, where it resides, how it flows, and who can access it, organizations are forced to rely on assumptions rather than controls. Maintaining data and process inventories enables informed risk management, supports regulatory compliance, reduces breach impact, and ensures safeguards are applied proportionately to actual risk. 

How Lightbem helps to protect PCI data

Lightbeam streamlines sensitive data inventory by continuously collecting, classifying, and tracking PCI attributes across complex environments. Instead of relying on a manual, error-prone process, it stays connected to your data sources and updates the inventory as systems and content change. With near real-time discovery and classification, you get a living view of where credit card data exists, how it’s evolving, and what’s changed. The classification engine stays current and accurate over time, and it extends visibility to third-party processing too, showing which vendors have card data and documenting the business purpose behind that sharing.

This persistent visibility enables organizations to understand where PCI data exists, how it is used, and who it is shared with—providing a reliable foundation for security controls, privacy compliance, and risk-based decision-making. In complex data environments that include cloud, on-prem, and third party processing, managing the use of sensitive data is increasingly difficult and risky because you cannot protect, or govern, what you do not understand.