CAP data loss prevention through social media

Keywords:

Data loss prevention, credit cards, reputation, social media, PCI

The context:

A company provides online shopping to customers as well as taking phone orders in its call centres. Call centre operators are not allowed to bring smartphones, pens or notepads to work as they take credit card numbers over the phone. However, there is a need to the call centre operators to use Facebook to update customers on the progress of their orders. Providing access to Facebook created a risk however as this would allow call centre operators access to company Facebook credentials and would also give them the ability to post credit card numbers to their personal Facebook pages (or those of associates).

The solution:

Using an internal DNS change and a local certificate authority installed on all call centre PCs, CAP was inserted between the call centre operators and Facebook to protect the company and ensure PCI compliance.

Why CAP:

CAP is capable of interacting with a vast array of data sources, protocols and APIs out of the box. In this case, the built-in forwarding proxy capabilities allowed CAP to create a front end to Facebook with a reduced feature set, to only enable the required functionality.

The story:

With CAP in place, using rules, Facebook logins were performed automatically (with company credentials not being visible to the operators). CAP was also used to modify the Facebook page visible to operators so as to make it impossible to log out and switch accounts. Game options were also removed.

In addition, word checks on Facebook posts were checked against a list of profanities and a list of important company executive names, to ensure no posts included those names without it being known by management. Every suspect post is emailed directly to the PR manager for review, allowing for swift action is an offensive or inappropriate post is detected.

Lastly, the rule sets used checked for credit card number groups. Although unlikely that any operator would post a card number directly on the company page, the fact that the operators knew they were being monitored helped enforce the policy and ensure PCI compliance.

Rules blocks and components used:

String manipulation

CSV Lookup