PCI 3.0, Part 3: Validating Your Cardholder Data Environment
Apr 14, 2014 5:00 AM PT
As spring gets under way, most e-commerce businesses already are preparing for their 2015 PCI audit. If you're one of them, you know that plenty of changes are afoot when it comes to meeting 3.0 compliance requirements.
Remember, compliance itself does not equal security, but rather is a reporting function of your security program. It is both a mandatory part of meeting 3.0 standards and a critical step toward improving your security posture.
As an e-commerce business, your top priority is protecting cardholder data and your brand reputation -- and validating your CDE is an important part of that. In a nutshell, you'll need to prove that the CDE boundaries you've defined actually are effective; you'll also have to illustrate the adequacy of any segmentation efforts.
Where's the Data?
If you followed the steps suggested in PCI 3.0, Part 1: Breathe, Relax, Get Compliant, you've already identified all relevant people, processes and technology involved in your cardholder data. You've also taken inventory of all hardware and software systems and devices in the CDE, and created network and data diagrams that outline connections and the flow of payment data through your environment.
You might be using network segmentation to isolate cardholder data. Now it's time for you to ensure all of your new controls are working successfully -- and you'll do this by running cardholder data searches, reviewing your segmentation controls, and building an appropriate pen-testing methodology.
This can be a risky area for many e-commerce organizations. Why? Because many assume they already know where their cardholder data is. Convinced they know where and how payment card data flows through their system, they tend to test only some of their systems.
Meanwhile, lost data in rogue locations puts the organization at risk for unauthorized access, failed audits and disastrous fines. To accurately validate your CDE, you must prove your data is in the correct systems and nowhere else -- and that means searching across the entire enterprise.
Testing Your CDE from A-Z
The best starting point is running cardholder data searches. Remember that the CDE includes people and processes as well as technology -- because that's exactly where data often goes off track.
Consider, for instance, an employee who decides to create an individual process that makes his job easier. Maybe he decides to create a separate list of full card numbers, written down by hand or stored on a spreadsheet, for easy reference. He's not aware this violates company policy; he's simply trying to make his job easier.
Because it's a random decision, there's no way for the IT team to know about it. If they run an exhaustive search across the entire environment, they'll find that data; if they skip the systems where they believe there's no data, they may be oblivious until it's too late.
That's just one example of why searching your entire system is mandatory. (If you're not already using one, I recommend using one of several reliable tools on the market that can search for specific types of data.)
Check every location and component possible, and confirm that your diagrams match your actual CDE. Also be sure to review all segmentation controls, including firewall rules, router and switch ACLs. Finally, confirm that your diagrams reflect your real cardholder data flows by tracking the data path of real transactions.
Your next step is pen testing. In addition to proving the legitimacy of your network boundaries, pen testing can turn up weaknesses in your system. For this reason, it's best to have a pen test conducted earlier rather than later, so you can correct any deficiencies.
While it's not a requirement, the best results always come from a test administered by an outside party -- so consider this as an important option. Also, be aware that 3.0 requirements are quite specific on the type of pen-testing methodology you should use, regardless of whether you're building your own methodology internally or hiring an outside vendor to do a pen test.
Proving the Power of Your Security
After doing all of this testing, you'll need to document everything and offer written demonstrative evidence of your validation. You'll need to prove that your boundaries are working effectively and protecting your cardholders, that your pen-testing methodology includes both public-facing and administrative applications, and that it aligns with 3.0 requirements.
No doubt this sounds like a lot of work -- but remember that validating your boundaries will benefit your organization long after you pass your 2015 audit. After all, airtight security is the top priority for e-commerce businesses that want to protect their customers while building a brand reputation as the company to trust.
Stay tuned for PCI 3.0, Part 4.