by Natasja Bolton, Senior Acquirer Support QSA
At the release of the PCI Scoping Guidance back in December 2016, the PCI Council highlighted the fact that “data breach investigation reports continue to find that companies suffering compromises were unaware that cardholder data was present on their compromised systems”.
Why is that? Well, often it is because businesses simply forget about legacy systems that are no longer in use or disregard business processes that have become obsolete. This often happens as new tools and systems become available on the market. It may also be because the personnel responsible for PCI DSS compliance have limited or no knowledge of the systems and processes that were used in earlier times but which are now unused or redundant.
For example, where a business has gone through organisational change, such as an acquisition. As a result, businesses may end up including only their current card payment processing environments in their assessment of PCI DSS compliance.
As Digital Transactions highlights in their article Minimising Your Data Footprint, “the weakest link in an environment is where an entity doesn’t know that cardholder data is there”; therefore, it is essential that when scoping their PCI DSS compliance assessments, businesses revisit their historic electronic payment systems and business processes.
They should investigate earlier paper-based processes or other operational procedures that may have handled cardholder data in the past.
For example, where the company’s customer service team now use a Virtual Terminal subscription management solution to process recurring payments instead of relying on paper or electronic records of cardholder data. The manual recurring payments process may have been replaced but have the now redundant records of cardholder data also been securely erased or destroyed?
Steps that businesses can take
To ensure that historic cardholder data isn’t resident on systems that are not being included in PCI DSS scope and adequately protected, businesses must check whether systems that once handled or came into contact with cardholder data have been securely decommissioned.
Business investigations of past card payment and operational processes may reveal records, files and stores (e.g. databases) where legacy cardholder data remains.
Sysnet recommend that businesses undertake a cardholder data discovery exercise to achieve two things:
- To verify that cardholder data exists in the environment where they think it does, and,
- To verify that no other cardholder data exists in the environment.
Businesses need not purchase data discovery tools themselves; instead specialists, such as Sysnet Cyber Risk, offer services to assist them in that discovery exercise. The Sysnet Cardholder Data Discovery (CDD) service is designed to effectively search for vulnerable cardholder data held within an organisation with minimal disruption to the business’s operations.
The service provides businesses with a detailed technical report showing exactly where cardholder data is stored within the organisation, including file repositories, databases, NAS systems, and email servers.
Data discovery tools can reveal electronic records of historic cardholder data; businesses will need to undertake manual investigations to identify current, archived and legacy repositories of hard copy cardholder data.
Armed with knowledge of the cardholder data that exists in their environment, businesses can then take action to securely erase, wipe or destroy any cardholder data that is no longer required.
This is not to advocate deletion or destruction of all historic records; companies may negatively impact their business if they take a blanket action to get rid of all legacy cardholder data without considering their ongoing business need for it.
Rather Sysnet recommend that companies use the findings of their investigations to make an informed decision as to whether they need to:
- Maintain some or all of the identified cardholder data because of an established business need, in which case the retained cardholder data must be protected in accordance with the PCI DSS requirements and included in the merchant’s assessment scope, or;
- Securely erase or destroy legacy cardholder data that the merchant no longer has any business need to retain.
Companies may find that the business benefits of retaining legacy cardholder data may be outweighed by the compliance obligations placed on them by PCI DSS to ensure the secure retention and protection of that data.
By investigating past systems and processes, having a complete understanding of both their current cardholder data environment and their past cardholder data environment, and lastly, by making informed decisions as to the deletion or retention of historic cardholder data, businesses will be assessing their PCI DSS compliance in full awareness of the scope of that assessment.
If you are a merchant that requires technical or PCI DSS help, please click here