pci dss card data discovery

Over the past few years, the industry has witnessed several incidents of high profile data breaches. Incidents like these serve as a reminder for businesses to prioritize data security and strengthen their business environment. Addressing the concern of data security, the Payment Card Industry Security Standard Council (PCI SSC) issued guidelines under Payment Card Industry Data Security Standard (PCI DSS) for securely processing, storing, transmitting payment card data. As per the PCI DSS Standard requirement, organizations in question need to determine the scope of their PCI DSS assessment accurately and secure card data.

Determining the scope essentially involves discovering of unencrypted card data and securing the source to prevent breach/data theft. It is interesting to note that most of the incidents of data breach/theft in the industry today is due to the lack of securing data stored in undiscovered locations. This potentially exposes most organizations to the high-level risk of a data breach. It is therefore essential for organizations to conduct a thorough assessment of Data Card Discovery, to identify and if required securely delete cardholder data that is no longer required or has exceeded the retention period.

In this article today, we have outlined key elements to consider while conducting the PCI DSS Card Data Discovery Assessment. Consideration of these elements will ensure accurate scoping and data discovery across the environment. However, before proceeding towards learning about the key elements, let us first understand the term Card Data Discovery (CDD). This will facilitate better learning and understanding of the Card Data Discovery process.

What is Card Data Discovery in PCI DSS?

Card Data discovery is a systematic process of scanning, identifying, and analyzing sensitive cardholder data that are confidential, proprietary, and personally identifiable information. The card data typically includes primary account number (PAN), Service Code, Magnetic Stripe Data, Sensitive Authentication Data (SAD), Card Verification Code (CVV), and Personal Identification Number (PIN). So, once the Data and Cardholder Data Environment is discovered, the effectiveness of relevant control systems that support the confidentiality, integrity, and availability of that data are analyzed. The data which may be stored in the file systems shared drives, databases, and removable media (CDE) is then accordingly secured or deleted based on the requirement of its necessity/retention period.

Key elements to consider the PCI-DSS Card Data Discovery process

The process of Card Data Discovery should initially involve reviewing the existing network, data flow diagrams, and Card Holder Data (CHD) locations. Moreover, a thorough investigation involving interviews with the stakeholders involved in the storage, processing, and transmission of cardholder data must be conducted.On completion, we either identify the current scope to be accurate or, define the scope way too less than it is to be. To accurately define the scope the Card Data Discovery Analyzer must consider the following factors.

Scan the entire organizational network

The main purpose of conducting a card data discovery scan is to identify both known and unknown areas, where the card data is stored. In all our years of assessing and consulting for PCI DSS, we have seen n number of organisations scanning only the Card Data Environment (CDE) for Card Data… this is quite silly if you think about it. A CHD scan is required to confirm where in the organization the CHD is stored; if you are scanning you’re your PCI Scope systems, then is this a confirmation in any manner that Card Data is not residing anywhere else in your network?? Therefore, it is essential that the Scanner takes into consideration the entire organization’s network in the scope of card discovery. So, this process will prevent ruling out any area of scope that may possibly have the data stored in it unknowingly.  Most often data are discovered in the least expected areas that are left out of scope and are then exposed to a security breach.

Scan across platforms- 

The data could typically be stored anywhere, on any platforms, systems, and network. It is therefore essential for scanners to take into consideration all platforms including network, Cloud, mail servers, operating systems, database platforms, and file systems when scanning for Card Data Discovery. Ruling out any of the systems, networks, platforms, or any such similar location will end up remaining out of scope and possibly expose the sensitive data to breach/theft.

Scan different file formats-

Sensitive Data could possibly be stored in any format (PDF, temp files, XML, PSD, TIFF, DOC, DOCX, RAM dumps) and file types ( Encoded files, flat files, compressed files, database files, email files, audio files, databases of all variants including flat files and even image files to name a few). So, as a part of best practice, the card discovery process should involve scanning of all data storage formats and files thoroughly. Excluding any type could be a huge risk for organizations looking to secure sensitive data.

Scan systems and applications-

Last but not the least, remember not to miss out scanning systems like hard drives, pen drives, smartphones, tablets, laptops, desktops, and other computing devices systems and endpoints in a Card Data Discovery Assessment process. It is very easy to miss out on the most obvious storage or location point when scanning a large organization for unencrypted card data.

False Positives-

Be wary of false positives in the Card Data Discovery process. This is currently one of the major challenges faced in the Data Discovery process. False positives could ruin the card Data Discovery exercise and completely hamper the efforts of securing data and efforts of compliance. Accuracy in data discovery is absolutely critical for it helps classify sensitive data in an organization and secures it from exposure.

Data Discovery tools-

Many organisations we see use tools that only scan txt and email but not databases… this in unacceptable. Organizations must use a comprehensive software tool that typically scans every file, format, storage, operating systems, networks, and platforms across the organization. Scanning and running through every location and looking for unencrypted card data is absolutely essential and vital in protecting customer payment data. Investing in the best tool for scanning and skimming data for card data discovery can greatly benefit the business and prevent them from ramification of the a data breach.

Conclusion-

Organizations should carefully scan their environment to prevent ruling out any possible unencrypted data that may lead to a breach. Use the right scanning tool and adopt all necessary manual process in scanning systems, and networks of your organization.  Take into consideration the above mentioned key elements and factors when processing card data discovery and your organization is sure to achieve success in accurately scoping and card data discovery.  Should u need any support or clarifications in defining the scope of your Card Data Environment, do drop us a line at askus[at]vistainfosec.com

Narendra Sahoo
Narendra Sahoo

Narendra Sahoo (PCI QSA, PCI QPA, CISSP, CISA, and CRISC) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the US, Singapore & India. Mr. Sahoo holds more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, & Compliance services. VISTA InfoSec specializes in Information Security audit, consulting and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance & Audit, PCI PIN, SOC2 Compliance & Audit, PDPA, PDPB to name a few. The company has for years (since 2004) worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.