Card Holder Data (CHD) discovery tools are becoming essential in identifying none secure sensitive data locations. Since December 2013, a series of data breaches resulting in the loss of over 100 million credit card numbers were reported to occur at some of the largest retailers in the US. And this is only the beginning as cybercriminals target CHD in Australia and overseas.
You can’t expect to adequately protect data if you don’t have knowledge about what data exists, where it resides, its value to the organisation, and who can use it. Finding information within a single database is cumbersome but now multiply that problem across financial, HR, business processing, testing, and decision support databases — and you have a huge challenge. Criminals don’t really care whether they steal data from production servers or POS machines — whichever is easier.
Most businesses think they know what is in their databases but the reality is a significant portion of them are not fully aware of what is in their databases and other network locations. They have been told by programmers, application developers, system and database administrators that there is no credit card data stored in their databases and most companies believe that and continue with their PCI compliance efforts as usual.
However, when you delve a little deeper you will very frequently find CHD in:
- “Development databases”,
- “Testing or QA databases”,
- “Just a backup for that rainy day databases”,
- “Database dumps and backups”,
- “Card numbers written to “debug” log files”
and so many unintended stores of card holder data information that are just lost in the cogs of the machine.
Any organisation that needs to be PCI compliant must definitively prove their compliance with standards and practices in place. PCI DSS 3.0 clearly states:
- Requirement 3 – Protect Stored Cardholder Data
- Requirement 7 – Restrict Access to Cardholder Data
Now the question is, how can you be sure that you are not violating PCI DSS?
The process of cardholder data discovery is used by organisations to analyse the contents of workstations and servers including memory storage on retail POS systems to verify no credit card details are stored without security. The concept follows a fundamental rule within PCI DSS 3.0 which requires organisations to first understand what credit card data is being stored, remove any data that is not required and then take action to secure the remaining data.
The only real way to be sure there is no CHD lurking around (intended or unintended) in your environment is by a thorough search using a comprehensive software that looks for card data in File Systems (Workstations, Servers, File Shares, NAS, SAN etc) and Databases (SQL Server, Oracle, MySQL, Postgres, Sybase, MS Access etc).
Numerous studies have shown that looking for unencrypted credit card data at rest plays a vital role in protecting customer payment data. Most studies show that it’s not the data in transit that’s the issue. For Requirement 3, of all the breaches reported in the “Verizon 2014 PCI Compliance Report,” not even one involved cardholder data “in transit.” In addition, 82% of organisations suffering a breach did not have Requirement 3 in place.” The price companies’ pay for skimming on data discovery assessments has profound ramifications for their brand, business success and ultimately fatal financial repercussions.
Common risks we see all too often that you should be aware of:
- Payment gateways send/receive encrypted information from the merchant server. Due to mis-configured gateways, card data is being dumped in a text or xml file.
- Due to the adoption of cloud synchronising technologies like iCloud, Google Drive and etc., payment data stored on the desktop is constantly synchronised with smartphones and tablets extending beyond the perceived corporate perimeter.
- Email easily is the number #1 location where card data was discovered on over 80% of endpoints.
Treating card holder data discovery as a priority rather than a luxury can be a huge step to help promote customer data protection and prevent your business becoming yet another data breach headline. However, it is important to be aware that not all card holder assessments are so easily addressed. Card data residing on smartphones, tablets, laptops or other BYOD computing endpoints should not be overlooked. There is so much to consider when looking at card holder data discovery because undiscovered cardholder data jeopardises PCI compliance and is a massive exposure to an organisation. Are you willing to take the risk?
Card data discover tools are essential both at the beginning of a PCI DSS project and post compliance to ensure security and compliance is maintained.