How to Find and Remediate PII and Payment Card Data

An astonishing 9.1 billion data records have been either lost or stolen globally since 2013. Over 1.4 billion were lost just in March 2017 alone.

This creates real concern across nearly all industries, especially those in the technology, financial and government sectors who are particularly susceptible to data breaches. Never has it been more important to get a handle on your company’s data and remain diligent about protecting it.

But there’s an issue. Not all organisations are 100 percent sure where their data resides. Many are even less knowledgeable about how to find and remediate sensitive data.

This is problematic because it can increase the likelihood of your company experiencing a data breach. With that being said, let’s now discuss the fundamentals of data storage and remediation.

Where Does Your Data Reside?

We’re living in an age where IoT and big data are now the norm. They permeate nearly every industry and sector.

This means that for most companies the majority of their data is stored virtually in the cloud. In fact, Forbes reports that by 2020, 92 percent of all data will be in the cloud.

So in all likelihood, most of your organisation’s data resides in the cloud right now. This could include everything from your basic, free services such as Google Drive and Microsoft OneDrive that hold just a few gigabytes of data all the way to robust paid services that are capable of storing several terabytes.

However, there are a couple of other places where you’re probably storing data as well – hard drives and Internet browsers. While the amount of data in these places is probably minimal when compared with the cloud, it could still be a liability if it winds up in the wrong hands.

Before proceeding any further, you’ll want to pinpoint the specific sources that are currently housing your data and know roughly what percentage each individual source holds.

For instance, you may have 80 percent of your data on a cloud platform, 15 percent backed up on your computer’s hard drive and 5 percent on your Internet browser.

Identifying Sensitive Information

A critical step in keeping information safe is to first understand what’s considered sensitive information and what’s not. While there can be some level of subjectivity, it generally refers to personally identifiable information (PII) and payment card data.

TechTarget explains that PII is any data that could potentially identify a certain individual or that could be used to distinguish one person from another. Some examples include:

  • Social security number
  • Driver’s licence number
  • Passport number
  • Tax information
  • Home address
  • Biometric information
  • Medical information
  • Even a telephone number and ISP in some cases

As for payment card data, this is pretty self-explanatory and refers to credit/debit card information. However, it can also apply to a customer’s bank account number.

If either type of this data is disclosed or falls into the wrong hands, a person’s privacy can be breached and their money compromised. This of course opens a can of worms for the individual as well as your organisation.

Therefore, it’s important that you take the proper precautions to protect it when in use and destroy it once it’s no longer needed.

How to Find That Data

It’s critical that you know how to quickly access PII and payment card data at any given time. This is a necessary precursor to remediating it.

Of course the means of finding data will vary depending on where your data is stored and which specific platforms you use, but here are some general tips for streamlining the process.

Let’s start with cloud storage. Ideally, you’ll use a platform with a search feature so that you can find whatever you need in seconds.

For instance, Google Drive offers a simple search box at the top of the dashboard.


Or if you’re using CRM software, you should be able to execute a similar type of search to find specific sensitive information.

Whatever platform you happen to be using, it’s critical that you can seamlessly search for key data and find it instantly. It’s all about effective data archiving and retrieval.

Or as Chris Grossman, senior vice president of Rand Worldwide puts it, “Being able to easily search your electronically stored data and provide accurate results instantly is critical to getting the most out of your data on a daily basis and in urgent situations.”

When it comes to your hard drive, it’s simply a matter of performing a search using the right keywords to find the information. For example, Mac features a “Finder” where you can search through your computer for critical data.


As for your Internet browser, you can simply access its history and perform a search. Google Chrome allows you to do this with ease.


The bottom line is that locating sensitive information like PII and payment card data shouldn’t be a struggle. Whatever software or platform you use should offer archiving and efficient retrieval. If you’re having issues with this, then you may want to consider finding a new data storage provider.

How to Remediate It

At this point you should have an understanding of what constitutes as PII and payment card data as well as how to find it. Now it’s time to remediate it, which is simply the process of securely removing and destroying data.

Again, the approach you take will vary slightly depending upon where the information is stored.

When it comes to deleted files on a hard drive, Columbia University Information Technology explains that the ideal method is to securely delete them. This is different from “regular” file deletion because it overwrites the physical area of the disc where the bytes that comprised the file were stored. This way they can’t be retrieved or recompiled later on after the deletion has taken place.

In other words, they’re gone forever, which is what you want.

This same concept applies to other data storage systems like the cloud and Internet browsing history. For example, removing a file on Google Drive doesn’t mean that it’s deleted forever. It’s simply moved to the trash.

To delete it forever, you must go to your “Trash,” click on the document and then click on “Delete forever.”


Regardless of the platform, you need to make sure that you’re securely deleting the files and that they’re gone permanently. If they can still be restored, then you’re putting your data assets at unnecessary risk.

Creating a Data Retention Policy

There’s one last step that can streamline the way your organisation manages its data, and that’s to create a data retention policy.

Grossman also says that establishing the right policy is vital for internal data governance as well as legal compliance. You’ll have some data that must be retained for several years, while you may only need other data for just a few days.

An added benefit is that this allows you to clear up much of the “digital clutter” on your server so that there’s more free space.


Here are some areas to address in your policy:

  • What data must be stored – You must decide which types of data are truly necessary to performing key tasks/overall operations and which data doesn’t actually need to be stored.
  • Classifying data – This involves putting data into categories such as public, private, sensitive, etc. You may also want to use sub-categories like PII and payment card data.
  • Determining how long data should be stored – You’ll want to have a definitive time frame for how long you should store each type of data. Eventually most data will become unnecessary to retain or obsolete, so you must decide what the maximum retention period is for each type.
  • Deciding who is responsible for remediating data – You’ll typically want to assign this task to just one or a maximum of a few trusted individuals. The fewer people who have access, the more secure your data should be.

Covering these core areas should keep everyone on the same page and eliminate a lot of confusion when it comes to storing data.

The Art of Data Management

Experts speculate that more data will have been created in 2017 than during the previous 5,000 years of humanity. That really puts some perspective on the sheer volume that’s being generated each and every day.

While having access to this information is advantageous to an organisation’s decision-making, communication and collaboration, it creates some serious security risks. With 50 percent of small businesses having encountered a data breach between May 2015 and May 2016, this is an issue that needs to be taken seriously.

Knowing where your data resides in your organisation and how to find and remediate highly sensitive information like PII and payment card data is incredibly helpful for mitigating your company’s risk and protecting your customers.

This along with an effective data retention policy should help you operate with more confidence and greater peace of mind.

How comfortable do you feel about your company’s ability to safeguard sensitive data? Please let us know:

Image Credits

Featured image: ColossusCloud / Pixabay

In-post image 1: Fotomek / Pixabay

Similar posts


Optus has been hit with a major cyber attack

In today’s world businesses around the world as well as in Australia, face increasingly sophisticated and innovative cybercriminals targeting what matters most to them; their money, data and reputation. Download our guide to learn everything you need to know about the Optus Data Breach, as well as the nine steps every business around the world and in Australia needs to take to avoid being next.