Escolar Documentos
Profissional Documentos
Cultura Documentos
Executive Summary
This paper titled Hitchhikers Guide to PCI DSS 2.0 outlines a methodology for scoping of the
cardholder data environment and for cardholder data discovery for Payment Card Industry (PCI)
assessments. We present valuable information for companies preparing for PCI DSS version 2.0
assessment including cardholder data discovery strategies, cardholder data discovery sampling
strategies, and remediation guidelines for addressing issues with cardholder data.
hitchhikers guide to payment card industry data security standard (PCI DSS) 2.0__________________________________________________________________ 2
Getting Started
In the past, most PCI assessments included a review of the known
cardholder data flows. This was akin to following the bouncing red
dot to understand the data flows, the protocols used, the repositories,
and how cardholder data passed through these systems, networks,
applications, and people. It is critical that you painstakingly provide
as much detail as possible about the known cardholder data flows.
If you have not thoroughly examined your cardholder data flows,
you definitely will want to start here. The PCI Council is not asking
that companies use cardholder data discovery tools to detect
this information throughout the entire enterprise (at a potentially
enormous cost). However, companies are required to do something
to demonstrate where there is no cardholder data. It isnt enough to
understand where you believe your cardholder data should be. You will
also be expected to demonstrate that you know where it could not be.
hitchhikers guide to payment card industry data security standard (PCI DSS) 2.0__________________________________________________________________ 3
Sampling Strategy
There are many instances where we have worked with retail clients to
determine a sampling approach to cardholder data discovery at their
retail locations. For those companies who maintain their retail systems
on a consistent basis, it is possible to create a sampling methodology
to perform cardholder data discovery. Some critical factors to consider
for this approach include the following:
All POS systems must adhere strictly to a build standard. If a
significant variance is discovered, it may turn out that all systems
must undergo cardholder data discovery analyses.
It should go without saying that all POS systems should be
implemented and maintained in a PCI-compliant manner. Just
because a payment application is certified as PA-DSS compliant
does not mean that system has been implemented properly.
Make sure you understand your payment application. If it was
provided by a third party or payment application provider, find out if
they have any information about whether the payment application
is capable of dumping cardholder data for example, to a log file.
If the application has been developed in-house, work with your
payment application developers to understand this. If there is no
logical way for a payment application to output cardholder data
into a hard drive or a log file, the probability of finding cardholder
data there is greatly diminished. If there is a logical way for your
payment application to dump cardholder data, then make sure
you monitor the process(es) that would cause this event to take
place and the destinations where the cardholder data would
potentially land.
In the event that any cardholder data is discovered, companies
should create a remediation strategy that applies to all appropriate
POS systems, since it is possible that cardholder data appeared on
other systems.
In the event that any cardholder data is discovered, companies
should perform a root cause analysis to determine how the
cardholder data appeared there so that action can be taken to
prevent a recurrence.
Databases
There are times when companies are not fully aware of the content
of their databases. (some companies write their own REGX discovery
scripts while others use commercial database discovery tools).
Forensics Analyzers
Although some consider this as these tools do a lot more than just
cardholder data discovery (i.e., enCase).
Companies should change their sample set for each discovery scan.
This will allow for more systems to be scanned over time.
While cardholder data discovery tools are not going to find stores
of encrypted cardholder data, you should remain vigilant for
any unauthorized or undocumented repositories of encrypted
cardholder data (even this is easier said than done).
Please keep in mind that different QSAs may interpret this PCI
requirement differently. Companies to be assessed should collaborate
with their QSA prior to or early in their PCI assessment to determine
that QSAs interpretation of sampling for cardholder data scans. It will
be up to the merchant to be able to demonstrate a sound approach to
their QSA regarding sampling of POS systems for cardholder data.
hitchhikers guide to payment card industry data security standard (PCI DSS) 2.0__________________________________________________________________ 4
Remediation Strategy
Cardholder Data Discovery Remediation What If You Find Stuff?
The purpose of cardholder data discovery is to systematically search
systems for cardholder data. If you do happen to find unencrypted
cardholder data, you will want to ensure youve created a remediation
plan to address it. Your remediation plan should be included within
your overall cardholder data discovery methodology, and it should
address the following:
Determine how the unencrypted cardholder got there
(root cause analysis).
If there are multiple findings, determine if there is a pattern.
Determine if anyone has a need for the cardholder data.
Determine if there are any similar channels where cardholder data
may have leaked (e.g., users with similar privileges and/or job
functions, or users with similar shared drives) and consider running
a subsequent cardholder data discovery scan.
Determine what can be done to prevent (preferably) or to monitor
for this type of data leakage in the future and implement these
controls accordingly.
Perform a secure delete of the unencrypted cardholder data if
there is no business need for it. If there is a business need for the
unencrypted cardholder data, ensure that you have compensating
controls in place to adequately protect it.
Lessons Learned
The following section contains some lessons learned based on dozens
of PCI assessments and client interaction over the past year.
Avoid Guilt by Association
Remember, in most cases your cardholder data discovery application
and systems should be considered to be in-scope, as they either may
contain actual cardholder data (which is found during the discovery
process) including guilt by association systems that are attached to
systems that store, process, or transmit cardholder data. Make sure
that you infuse the appropriate security controls on these systems
(access controls, logging, etc.) to ensure that they dont create covert
channels to cardholder data.
Conclusion
Understanding and complying with the PCI Data Security standard
(PCI DSS) can be a daunting task, especially if your organization has
limited time and resources. Organizations are often blindsided by the
changes in the standards, new payment technologies, and emerging
business context. Many organizations still narrowly focus on the
annual compliance assessment rather than adopting a programmatic
approach to compliance, and hence are subject to falling out of PCI
compliance. This document should help provide your organization
with the building blocks to create a sustainable cardholder data
scoping methodology.
08/02/12 AB-2486
2012 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
The information in this document is provided by AT&T for informational purposes only. AT&T does not warrant the accuracy or
completeness of the information or commit to issue updates or corrections to the information. AT&T is not responsible for any
damages resulting from use of or reliance on the information.