I've got an auditor insisting on PCI compliance for our Exchange system. We're aiming to eliminate any PCI-related data from Exchange, including using Data Loss Prevention (DLP) tools. However, during our recent policy simulation, I discovered a credit card number in a subpoena document that was sent internally. We're also trying to avoid using SharePoint for sharing to minimize any PCI presence in our environment. Does anyone have suggestions on how to approach this, or am I potentially misunderstanding the requirements?
1 Answer
A good starting point is to ensure that neither Exchange nor M365 is part of the PCI scope from the get-go. You want to make sure that your workflows don't process PCI data at all—like, for example, instructing customers not to send credit card numbers via email. It's also crucial to create clear policies for your team about where PCI-related data can and can't go.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures