I was doing a product demo the other day for a prospective partner when he asked, "You can actually pick up the credit card number in transactions?"
"Yes," I replied.
"That's great!" he said and we continued with the demo.
We can pick up credit card numbers because we decode application-level messages originating from ATM, POS, online banking, and mobile banking applications using flexible tables that actually pick apart the messages and return individual fields.
Each field is mapped to a data dictionary (e.g., data element 2 in the message is the credit card number) so that it can be used to trigger alerts or execute searches.
Our responsibility doesn't end here. Once the fields are tagged, we apply a security classification. Fields are marked as one of the following:
Forbidden. This information should never be stored or displayed (e.g., track 2 information on a credit card).
Sensitive. This information must be treated in some way before it's stored or displayed (e.g., blank certain digits or replace them with asterisks).
Normal. This information is suitable for display.
Forbidden information is dropped (in memory and never swapped to disk); sensitive information is treated (using non-reversible methods). Along the way, everything is encrypted. All data passing on the wire between the data collectors, the server and the data storage is always SSL encrypted.
We took another step beyond the wire, as well, implementing a FIPS compliant integration with Thales security hardware. This allows us to tie in seamlessly with even the tightest security architectures out there to make sure forbidden and sensitive information is protected in every way possible. Users are not doing any of the encryption in their programming code, and there is no opportunity to compromise their software system.
So yes, we can actually pick up the credit card number in transactions. And yes, it's a great feature. But with great features comes great responsibility. Make hardware encryption a mandatory check box when it comes to investing in your transaction-based monitoring tools.