Editor’s Note: In this post, Steve Levinson offers an approach for handling issues with cardholder data, on-going processes to consider, and shortcomings of existing technologies. This post is the fourth and final in a series of four from the “Hitchhiker’s Guide to PCI DSS 2.0 Scoping.” The first post offered a step-by-step methodology, the second post offered cardholder data discovery strategy, and the third post offered a cardholder data discovery sampling strategy.
The purpose of cardholder data discovery is to systematically search systems for cardholder data. If you do happen to find unencrypted cardholder data, you will want to ensure you’ve created a remediation plan to address it. Your remediation plan should be included within your overall cardholder data discovery methodology, and it should address the following:
- Determine how the unencrypted cardholder got there (root cause analysis).
- If there are multiple findings, determine if there is a pattern.
- Determine if anyone has a need for the cardholder data.
- Determine if there are any similar channels where cardholder data may have leaked (e.g., users with similar privileges and/or job functions, or users with similar shared drives) and consider running a subsequent cardholder data discovery scan.
- Determine what can be done to prevent (preferably) or to monitor for this type of data leakage in the future and implement these controls accordingly.
- Perform a secure delete of the unencrypted cardholder data if there is no business need for it. If there is a business need for the unencrypted cardholder data, ensure that you have compensating controls in place to adequately protect it.
Avoid Guilt by Association
Remember, in most cases your cardholder data discovery application and systems should be considered to be in-scope, as they either may contain actual cardholder data (which is found during the discovery process) including ‘guilt by association’ systems that are attached to systems that store, process, or transmit cardholder data. Make sure that you infuse the appropriate security controls on these systems (access controls, logging, etc.) to ensure that they don’t create covert channels to cardholder data.
Create an Audit Trail
Since your cardholder data discovery methodology will most likely include the use of tools or processes to perform cardholder data discovery, you will need to create some type of audit trail to demonstrate that you have indeed been performing adequate cardholder data discovery searches and scans. You should provide some degree of evidence to your QSA during your PCI assessment, similar to how you would demonstrate, for example, how you perform your quarterly internal vulnerability scans. It is important to create tangible evidence and not to expect that your QSA should accept this evidence based only on interviews or word of mouth.
Implement DLP Tools
The terms “cardholder data discovery” and “data leakage prevention” (DLP) often are used synonymously when indeed they are different functions. Cardholder data discovery is the act of using a methodology or tool to search for cardholder data at rest, whereas DLP focuses more on cardholder data in transit, leaking to unauthorized/unexpected places. DLP can play a pivotal role in building a sustainable program to prevent cardholder data from appearing in surprising places. How does this work? After you perform an initial discovery scan to verify that there is no unencrypted cardholder data in a particular location, you may then be able to implement DLP tools to ensure that going forward no cardholder data makes it to that location, perhaps even doing away with the need for subsequent cardholder data searches on that particular host/system.
While tools are an important building block of any robust security or governance program, companies should not blindly rely on them. It is critical to understand and to document your cardholder data flows, and to work closely with the business and the administrators (network, systems, applications) to determine any potential inherent weaknesses so that when it makes sense, you can use the tools at the right times and in the right places.