Salesforce has celebrated its PCI compliance since January of 2012 and customers can feel confident in their credit card transactions through the platform. However, no matter how compliant a platform may be, user behavior might just be the wildcard. Are users populating fields and attachments with PCI data? Are they using Chatter to share credit card numbers or account information? How can the issue be addressed while ensuring continued access and functionality? Can the problem be addressed across the platform with no slowdown in workflow?
Achieving Salesforce PCI DSS compliance in light of all of these factors begins with these three steps.
1. Define Your Data Policy for Salesforce
The creation of Acceptable Use Policies (AUP) that clearly outline safe practices for managing data in Salesforce should be the first step. In many cases, AUP that are already in place can be adapted with minor modifications to suit cloud considerations.
Ensure that there is continuity throughout the policies created for PCI and other data like Social Security numbers, bank account numbers, routing numbers, etc. This sets expectations for users and gives them a unified approach to handling sensitive data. A comprehensive policy should describe what constitutes sensitive data as well as provide guidelines for placement. It is imperative to define whether such data is permitted in certain fields, in salesforce modules, or would be appropriate for export outside of the environment.
2. Continuously Monitor The Environment
Policies are only successful if they are enabled to provide visibility to potential violations. It is important to monitor the entire environment, including any development sandboxes, to uncover poorly managed PCI objects.
Despite the existence of strong AUPs, users do not always recall the guidelines. Making the right choices when adding information to the Salesforce platform can be overlooked by time constraints, carelessness, or by users simply being uninformed. Users may inadvertently include PCI data in a note about a client or they may share a credit card number in an attachment for a purchase or reservation. Additionally, inbound requests from customers can contain PCI and end up somewhere unexpected in Salesforce.
3. Educate Users to Optimise Remediation
People-centric security relies on education to facilitate adoption as well as proper behavioral changes that foster safe usage of any cloud-based service. When users understand guidelines for acceptable use of the product and are asked to actively manage their violations, there should be less triggering incidents across the platform over time and more complete, confident usage of Salesforce.
Create a process for reaching out to end users, explain that they have made an error in placing PCI data in an inappropriate location in Salesforce, educate them on the proper protocol, and make it easy for them to address the issue.
Use this three step process to make users feel accountable and empowered to make safe choices, ensuring a safe, collaborative experience with Salesforce.
How are you managing this process today? Could you use some help?
Contact us for a free security assessment to find out how secure your environment really is. We will review and audit your organization’s Salesforce, Google Apps and other SaaS application domains, as well as of the usage and consumption of third party applications connected to them to:
- Provide metrics, considerations, and recommendations that lead to the analysis
- Recommend actionable next steps for instituting Acceptable Use Policies (AUPs)
- Compare your Security Score to other customers