Is Box PCI Compliant?

TL;DR:

• Box is compliant with PCI DSS Level 1, demonstrating the platform's approach to data security and PCI standards.
• Box offers various security features to help maintain compliance with PCI DSS but maintaining compliance with PCI DSS on Box is an ongoing process.
• Data leaks from Box can occur due to misconfigured sharing settings, incorrect access controls, or improper integration with third-party apps
• The new PCI DSS 4.0 introduces new requirements, including stricter controls around handling payment card data.
• Organizations are advised against storing cardholder data on Box unless absolutely necessary. Where data is stored, organizations should implement strict access controls, data encryption and other security mechanisms.

Can You Store PCI Data in Box?

Box is a cloud-based content management platform that facilitates various content-related processes including the storing, sharing and management of files. Box meets Payment Card Industry (PCI) Data Security Standards (DSS) Level 1 standards, meaning that Box can be used in a way that complies with the highest level of PCI DSS. 

Box provides various resources that are designed to help their customers use Box in a secure manner and achieve compliance with a wide range of data security standards. For example, the Box Trust Center connects customers with the latest information on Box’s efforts to improve the security, compliance, data privacy, and reliability of their products. 

As a PCI DSS Level 1 service provider, the Box platform can be used to store PCI data. PCI data encompasses various data points including, payment card number, cardholder name, expiration date, and card security code.

Before handling or storing PCI data in Box you must configure the platform’s security controls, including enabling identity and access controls and encryption keys. Learn more about Box’s mechanisms for safeguarding sensitive information. 

Can PCI Data be Leaked from Box?

Although Box offers the security features that allow the platform to be used in a way that is compliant with PCI DSS, maintaining compliance is an ongoing process. 

Even with Box’s security controls in place, PCI data can be leaked from the Box platform. Your organization must therefore handle PCI data in an appropriate manner at all times. Data Data leaks from the Box platform often occur due to the misconfiguration of controls, or human error and insufficient security protocols. Common causes of data leaks include

• Misconfigured Sharing Settings: Box is designed for collaboration and users can inadvertently set documents to be publicly accessible or share them with unintended recipients. 
• Insufficient Access Controls: Failing to set appropriate access controls and conducting reviews of who has access to PCI data to mitigate the risk of unauthorized access.
• Integration of Third-Party Apps: There is a risk of data leak when integrating Box with third-party applications that have insufficient security measures.

Organizations using Box to store PCI data should therefore train employees on how to handle sensitive PCI data. Accidental data leaks and misconfigured security controls are the most common sources of data leaks.

What are the New PCI 4.0 Requirements for PCI Data in Box?

PCI DSS 4.0 is a major step forward from the previous standard, 3.2.1.  Designed to cover the growing use of cloud-based services, PCI DSS 4.0 introduces new requirements to protect cardholder data on collaboration platforms such as Box. 

Some of the key updates to be aware of include: 

1. No Unauthorized Copy/Relocation of PAN

Requirement 3.4.2 is intended to protect the Primary Account Number (PAN) from unauthorized copying or relocation across all platforms, including cloud-based platforms such as Box.

This requirement restricts the copying or transferring of PAN. Now, only authorized individuals with recorded approval and a valid business justification are permitted to copy or transfer PAN. 

This level of control is crucial in collaborative platforms like Box, where data is frequently more vulnerable to unauthorized access.

2. PAN Must Be Unreadable

Requirement 3.5.1.1 requires that PAN is made unreadable when stored. This requirement is applicable to databases, files, and logs housed on cloud-based platforms such as Box.

This requirement encourages the use of cryptographic hashes, ensuring that PAN / card numbers are encrypted and indecipherable. 

This measure secures PAN against unauthorized access and breaches, particularly when stored in cloud-based environments like Box.

3. Incident Response for PAN Data Leaks

Requirement 12.10.7 is designed to encourage proactive incident response measures. Rather than reacting to data breaches after the fact, organizations are encouraged to regularly detect PAN and other PCI data that is stored in unauthorized locations.

The objective here is to quickly address potential data breaches and take action to protect sensitive PCI data before a breach occurs.

This requirement underlines the need for continuous monitoring and incident management strategies within Box.

4. Protecting Payment Information in Box

To mitigate the risk of data leaks from Box, organizations are advised against storing cardholder data unless there is a specific need to do so.

Suggestions for protecting PCI data include:

• Where PAN or PCI is printed, such as on receipts or documents, it should be shortened or masked to safeguard the cardholder's information.
• Servers, storage and computing devices should be kept locked with access-controls in place at all times.
• Comprehensive access controls must be enforced to reduce the risk of unauthorized access of stored PCI data.

Collectively, these day to day security practices can address both physical and digital security concerns. 

Safeguarding sensitive cardholder information stored in cloud-based applications such as Box is an ongoing process. To maintain compliance with PCI DSS 4.0, organizations using Box must evaluate and update their existing security controls and operational procedures. 

This involves regular assessments on your use of Box to ensure compliance with PCI DSS 4.0, especially user access controls and encryption protocols.

How Can Strac Enhance Data Security on Box?

Strac is a comprehensive data loss prevention (DLP) solution, with robust features for effectively safeguarding sensitive PCI information on cloud-based platforms such as Box. ‎

Strac ensures your data security in various ways:

• Customizable Detection Capabilities: Strac uniquely allows users to configure their own detectors, ensuring even sensitive data embedded in images or various document formats are securely managed. Explore Strac’s extensive catalog of sensitive data elements.
• Achieving Compliance with Ease: Strac’s DLP solution helps organizations achieve compliance with major standards like PCI, SOC 2, GDPR and NIST, among others.
• Integration and Automation: Strac integrates seamlessly in under 10 minutes, offering immediate data protection such as live scanning and redaction in SaaS applications. This high level of integration and automation facilitates efficient and immediate protection of sensitive data. Visit our range of available Strac integrations.
• Advanced Accuracy in Detection and Redaction: Utilizing custom machine learning models, Strac ensures highly accurate detection of sensitive data, minimizing both false positives and false negatives, thus enhancing operational reliability. Learn more about Strac's Box DLP solution.
• Support for Developers: Strac offers API access, allowing developers to create custom data detection and redaction solutions. Developers can find more resources in Strac’s Developer Documentation.

Visit Strac's Box integration or schedule a free 30-minute demo to learn how Strac’s DLP solution can protect your Box usage.