Prioritizing PCI - Part 1: Watching What You Store
PCI Compliance can be daunting for new merchants or service providers. The PCI-DSS contains 12 requirements, with 412 sub-requirements and sub-sub-requirements covering over 115 pages. It begs the question, "Where do I start?"
Fortunately, the Security Standards Council offers a roadmap for navigating the road to PCI Compliance called the PCI Prioritized Approach. This approach lays out the DSS requirements as a set of 6 milestones to attaining compliance. In this series, we will take a look at the 6 milestones and how to apply them to your business operations.
Today we'll tackle Milestone 1: Removing sensitive authentication data and limiting data retention.
Step 1 - Identify Your Scope
The Payment Card Industry Data Security Standard prescribes the security requirements all merchants and service providers must apply to all in-scope systems. But what does in-scope mean? The PCI-DSS separates systems based on the following criteria:
- Systems that store, process, or transmit cardholder data (CHD)
- Systems that connect, directly or indirectly, to those that store, process, or transmit CHD
- Systems that control or affect the security of those that store, process, or transmit CHD
- Systems that do not connect to, control, or affect the security of those that store, process, or transmit CHD.
For the purposes of PCI Scoping:
Systems matching the first of the above criteria are considered the Cardholder Data Environment (CDE). These systems are always in-scope .
Systems matching the second or third criteria are considered the Cardholder Related Environment (CRE). These systems are always in-scope
Any system matching only the fourth criteria is considered part of the non-CDE environment. As long as these systems are segregated from systems in the other categories (i.e. no shared networks, no communication to/from systems).
Step 2 - Assess Your Risk
The first step on the road to PCI compliance is to know what your greatest threats are. For that you need to perform a risk assessment.
Step 3 - Diagram Your Network
You can't protect what you don't know about. To design your compliance strategy, you need to know how your infrastructure is laid out. What are your uplinks? Which systems have access to what data? Do you have firewalls at every point on ingress/egress? To answer these questions, you need a map of your network. This map should include all connections between your network and any public networks.
Additionally, your network diagram should show the flow of CHD through your network, and should clearly delineate in-scope systems from out-of-scope systems.
Step 4 - Limit Storage of Cardholder Data
The more cardholder data you have, the larger the target you are, and the harder you have to work to protect it. A good way to remedy this is to keep the amount of cardholder data to a minimum. Think about these questions when you're considering data storage:
- Does your company need card data after an individual transaction is complete?
- If you require saved CHD, how long do you need to store it, a day, a week, a year?
- How many places do you need CHD stored; can some of those places be eliminated?
Once you've answered these questions, you need to set your limits. Eliminate unneeded storage, and set the retention limits for the data you do store.
There are plenty of reasons you as a merchant might need to store cardholder data, perhaps for future or recurring payments. But reducing storage can greatly simplify your path to attaining PCI Compliance.
Step 5 - Never Store Sensitive Data
While storing CHD for business operational reasons is acceptable with the appropriate controls, there are some items that are prohibited for storage, regardless of your business needs. These items include:
- The contents of the magnetic track of a credit card (Track1 or Track2).
- The Card Verification Value (CVV or CV2).
- The Cardholder's PIN number.
- The encrypted PIN block or EMV chip contents from the card.
These items are referred to collectively as Sensitive Authentication Data (SAD). Regardless of business justification or the security controls in place, it's never permitted to retain this information after authorization is completed.
Step 6 - Destroy Media After Retention Period
So you know what you can store, what you need to store and how long you need to store it. What do you do when you don't need it anymore? It's important that any data you're discarding is securely deleted. Paper records should be shredded. Any electronic data should be securely wiped, and any storage devices should be rendered permanently unreadable before media leaves your control.