Within any organization, there exists a business need to access data for analysis, record-keeping, and interoperability. As the complexity of dealing with securing access to sensitive business systems increases, so does the scrutiny on organizations, both based on internal security policies and by external regulatory bodies.
The goal of this document is to take the key concepts of moving non-sensitive business data in and out of sensitive areas, and provide high-level guidance that addresses many of the elements needed to protect these environments from added risk.
The primary audience for this guidance paper is small to mid-sized fuel retailers who are addressing the challenge of complying with critical data security requirements, but have a business need to extract data from within secure environments. This is especially true of environments that fall within or adjacent to data security regulations, such as the Payment Card Industry (PCI) Data Security Standard (DSS) and systems considered part of or connected to the cardholder data environment (CDE).
The secondary audience for this document is third-party vendors and security partners that may implement and/or support processes necessitating the movement of these data out of retailer/merchant environments. Accordingly, this document serves as a reminder of available best practices and critical capabilities necessary to support the retailer (i.e., your client) in these exchanges of data.