I spent many years as PCI QSA, and my recent webinar: The PCI DSS Compliance Essentials: Top 10 Things You Need to Know tried to encapsulate some of the most important areas firms need to consider as they go down the road to PCI compliance. Perhaps the most important topic I covered in the webinar is one that far too many firms don’t even consider—asking why they even store PCI cardholder data (CHD) in the first place.
A lot of firms accept as a fact of doing business that they need to store CHD. The reality is that, for most organizations, there is no compelling business or technology reason for retaining cardholder data. In 2019, there are plenty of vendors who offer tokenization solutions that merchants and service providers can use to ensure that they never see customer CHD. Instead, they only will use the tokens, which are data strings that are out of scope for PCI.
By using tokenization, firms can significantly limit their PCI scope and responsibilities, and risk of damaging data loss or exposure. This, in turn, results in significant cost savings, and many less hours required toward PCI compliance.
Besides tokenization, there are other potential solutions, such as credit card vaulting, point-to-point encryption (P2PE), and end-to-end encryption (E2EE). Whichever solution you consider, the goal is to start thinking about how you can get out of the CHD storage business.
Another important area is that of scoping. The first step of PCI DSS is to accurately determine the scope of the environment. As detailed in the PCI DSS Quick Reference Guide, the scoping process includes identifying all system components that are located within, or connected to, the cardholder data environment. The cardholder data environment is comprised of people, processes, and technology that handle cardholder data or sensitive authentication data.
Yet, too many firms don’t invest enough time in the scoping process. This can be a significant issue, as if a firm over-scopes, they will end up exerting unnecessary time, effort, and expenses. On the other hand, if they under-scope and exclude things that are truly within scope, the outcome is that they are not PCI compliant, and all of the fallout that entails.
Another major PCI violation that organizations commonly commit is the unneccessary storing of sensitive authentication data (SAD). PCI defines SAD as security-related information—including, but not limited to, card validation codes/values, full track data (from the magnetic stripe or equivalent on a chip, PINs, and PIN blocks) used to authenticate cardholders and/or authorize payment card transactions. SAD can never be stored after authentication.
Being educated about the PCI DSS requirements is your best method to ensure compliance, minimize costs, and ensure that you are fully compliant with PCI DSS. For more education that will help poise you for success with PCI, check out my on-demand webinar.
Ben Rothke, Senior Security Consultant, Nettitude
Ben Rothke (@benrothke) is a senior security consultant with Nettitude and has over 15 years of industry experience in information systems security and privacy. His career incorporates a successful track record across corporate and consulting roles, securing IT assets for numerous Fortune 1000 companies.
He is the author of Computer Security - 20 Things Every Employee Should Know (McGraw-Hill) and a speaker at industry conferences, such as RSA and MISTI, and holds numerous industry certifications.