Payments made through the Internet, mobile networks, and WiFi, or made at an electronic cash register carry the risk of compromising card information. For instance, when you swipe your card at a retail outlet, the payment terminal sends card data to the acquirer over the network passing multiple systems. The storage, processing, and transmission stages expose unencrypted card data to numerous risks and threats. Discovering unencrypted card data is mandatory under Requirement 3.1 of the PCI DSS Standard. Therefore, understanding the right approach to take for card data discovery is an important consideration for organizations.
Today, one of the highest risks for organizations relates to data residing in undisclosed storage points. Inadvertent storage of card data is one of the top three reasons for a breach to occur. Therefore, in order to mitigate the risk, organizations (as per Requirement 3.1) have to identify and securely delete cardholder data that exceeds defined retention conditions every quarter.
To get their act right when scanning data, organizations should consider the following five factors:
- Scope of card discovery should be organization-wide: The purpose of running a card discovery exercise is to identify areas where card data is stored. Therefore, the scope of card discovery should encompass the entire organization and must not be limited to only PCI DSS Scope or card data environment (CDE). In many cases, you will notice card data stored in places where you least expected.
- Data may reside on different platforms: A comprehensive scan covering all systems, databases, networks, and file systems is necessary. Organizations think that using data-loss prevention software (DLPS) will do the job, but DLPS does not support many databases, operating systems, cloud, voice platforms, and mail servers. The upshot of using DLPS is that sensitive data locations continue to remain unknown.
- Agent vs. non-agent discovery tools: Agent-based card discovery tools are best suited for large environments, which have less than 100 systems on the network. Opening every file and running through it for possible card numbers or data consumes more time than any vulnerability assessment tools. It is best to run an agent-based tool during low usage periods.
- Card data may be stored in different formats: Data can be found in any files, even in temp files and RAM dumps. Therefore, any card discovery exercise should involve all possible formats of data storage.
- False positive is one of the biggest challenges in data discovery process: Ensuring the accuracy of data is important in any discovery exercise. This is important because classifying new data assists in security and compliance efforts. However, results need to be tracked over time and validated, and the process must be made repetitive.