In the past decade, Salesforce.com has earned its spot as the leading cloud-based sales automation and CRM platform. With broad adoption and legions of happy customers, Salesforce is a force to be reckoned with. When adopting Salesforce, however, any business that deals with cardholder information for major debit, credit, and other payment cards must also make sure their deployment complies with PCI DSS.
The Payment Card Industry Data Security Standard (PCI DSS) aims to protect the privacy and integrity of cardholder information. Failure to comply may result in fines or the loss of card processing abilities and, in some cases, legal liability, such as in the state of Nevada.
Sound daunting? As Salesforce’s numerous customers can attest, Salesforce PCI compliance is readily achievable. When it comes to regulatory compliance, the ultimate responsibility always lies with you. Follow our four best practices to ensure a smooth and compliant Salesforce deployment.
Salesforce PCI compliance starts with knowledge. Not all of the data you store in Salesforce’s cloud is equally sensitive; not all of it is applicable to PCI DSS. Your first step must be to understand what you’re working with. Examine your data and identify all fields that fall under the scope of PCI DSS, such as cardholder names, addresses, and account numbers. Set access controls on that data and plan for its protection.
Now that you’ve classified your data, you’re ready to protect it. Salesforce PCI compliance must begin on your own premises, with granular control over what encryption and tokenization methods you use to protect different categories of information. Credit card numbers, for example, are highly sensitive and protected under PCI DSS, so they’ll need particularly strong encryption. Encrypt or tokenize appropriately before your data ever leaves your perimeter so that it will remain safe not only at rest in Salesforce’s data centers, but also in transit from your premises to theirs. Take advantage of encryption’s other benefit: safe harbor. Encryption, provided that the encryption keys are not compromised, protects your organization from having to make a public breach notification in the event that your customers’ account information is stolen. And while we’re on the topic of encryption keys, by all means make sure your enterprise has exclusive control of those encryption keys.
Salesforce PCI compliance shouldn’t interfere with Salesforce functionality. You aren’t using (or considering using) a world-class CRM platform just for the inert storage of your data, after all. Especially when it comes to customer and payment card information, you want to be able to search it, sort it, generate reports, and in general take advantage of Salesforce’s ability to take your business to the next level. For that reason, an encryption and tokenization solution that preserves your data’s functionality in the cloud, while protected, is a must. It has to preserve the formats, fields, and function of structured data, such as credit card numbers, and support search, sort, indexing, and reporting. To do so, it must be tightly integrated with Salesforce, as CipherCloud’s Cloud Information Protection solution is. A encryption option that provides strong protection but preserves functionality, like CipherCloud’s Searchable Strong Encryption, is critical.
Finally, achieving Salesforce PCI compliance isn’t a one-time task. Only continuous monitoring and a clear audit trail can enable you to stay in compliance. Your Salesforce data privacy solution must give you granular user, data, and activity reporting, DLP enforcement, and visibility across all your cloud applications. Once you have that in place, you’ll be able to see what’s going on with your Salesforce data at all times and address any problems that arise, before a breach happens.
Salesforce has revolutionized the way the enterprise does business, but it hasn’t taken all the work out of enterprises’ own hands. To enjoy the full benefits of the cloud without exposing yourself to the dangers, you must stay in control. Following best practices like ours will help you do so.
What should businesses keep in mind as they work towards Salesforce PCI compliance? Tell us in the comments.