Fifteen years after its launch out of a San Francisco apartment, Salesforce.com has grown into an invaluable tool for over 100,000 enterprises worldwide. For those customers, Salesforce’s cloud is a one-stop shop to improve efficiency, streamline operations, and enable greater collaboration. Businesses dealing with Salesforce must also tackle the challenges of PCI compliance, however. This checklist will help you address some common Salesforce PCI concerns.
1. Problem: “I don’t know exactly what we’re putting in the cloud, or where it goes once it’s there.”
You need to know exactly where all of your PCI-covered sensitive cardholder and authentication data resides in your Salesforce cloud so that you can manage it through its entire lifecycle.. Per PCI DSS 3.0, “Understanding where cardholder data is located is necessary so it can be properly retained or disposed of when no longer needed.” And when it comes to Salesforce PCI compliance, there are a lot of places the data could be, from Sales Cloud to Chatter. Document where each type of data is, where it is currently allowed to go, and who has access to it. Tighten up your policies and controls if you find any potential violations.
2. Problem: “I’m afraid that some of this data shouldn’t be in the cloud.”
Some data is too sensitive to store at all. PCI DSS 3.0 allows the storage of Primary Account Number (PAN), cardholder name, expiration date, and service code data. It explicitly forbids the storage of full magnetic track data, CAV2/CVC2/CVV2/CID card security codes, and cardholder PINs and PIN blocks. Evaluate whether any of the data you’ve identified should not be in the Salesforce cloud at all. To ensure Salesforce PCI compliance, make sure you aren’t storing any data that violates this requirement.
3. Problem: “I’m not sure we’re protecting sensitive data strongly enough, but won’t stronger methods make it unusable?”
PCI DSS recommends using “strong cryptography and security protocols…to safeguard sensitive cardholder data during transmission over open, public networks” such as the public WAN, as well as at rest in the cloud. That includes unstructured data, such as email and Chatter communications that contain PANs or the like, which may need on-the-fly encryption, triggered by data formats. CipherCloud’s tight integration with Salesforce does this and goes a step further by keeping sensitive data encrypted even while in use.
4. Problem: “How do I trust that data is deleted when I need it to be?”
PCI DSS requires that companies limit “data storage amount and retention time to [only] that which is required for legal, regulatory, and business requirements.” But data has a way of replicating, particularly in cloud environments, where copies may be made and moved around for legitimate purposes such as backup and disaster recovery. This introduces the possibility of extra copies of sensitive data being overlooked when it’s time for deletion. PCI DSS recommends tight access controls for encryption keys to ensure that you can destroy cardholder data when necessary. When it comes time to deleted data, all you have to do is destroy the encryption keys to render every copy unreadable.
5. Problem: “How do I make sure we stay in compliance when so much data is added or changed every day?”
PCI compliance is a moving target. Regular audits and the inevitable changes happening in your Salesforce cloud every day mean that once you’ve brought your Salesforce activity in line, you must keep on top of it to make sure it stays that way. Monitor user access and activity to maintain continuous Salesforce PCI compliance and prepare for audits. Implementing a cloud data protection solution that generates granular reports and a clear audit trail will help. So will DLP tools that quickly identify suspicious or anomalous behavior.
As you can see, Salesforce PCI compliance doesn’t have to be complicated. Know what data you’re sending to the cloud, control and protect it as necessary, and monitor its access, and you’ll be well on your way to safe, successful use of the Salesforce cloud.
How does your organization deal with Salesforce PCI compliance concerns? Tell us your experiences in the comments.