August 19, 2016
Guest Perspective: Strategies to Reduce Your Cardholder Data Footprint
By Troy Leach, Chief Technology Officer, PCI Security Standards Council
Data breach investigation reports continue to find that companies suffering compromises were unaware that cardholder data was present on the compromised systems. If you can limit exposure of payment data in your systems, you simplify compliance and reduce the chance of being a target for criminals. By limiting the locations of cardholder data in your network, you can drastically reduce the number of systems to protect, which means your security efforts become more focused and more manageable. And better security will mean simpler compliance efforts. Below I’ve included some best practices for reducing the cardholder data footprint.
Maintain a CHD dataflow diagram . The first step in figuring out how to reduce the attack surface is creating a dataflow diagram. Every organization that adheres to the Council’s Data Security Standards should already have a CHD dataflow diagram in place as detailed in Requirement 1. Dataflow diagrams help identify which systems need protection and may also help when responding to vulnerabilities or a potential compromise.
Once the diagram is created, it is imperative it’s kept up-to-date to reflect the organization’s CHD environment accurately. According to the Ponemon Institute, organizations that were doing more regular audits of the environment actually saved 55 percent overall on their annual cost to comply with PCI DSS. This simple step may save your organization significant expense.
Confirm your segmentation. Often, networks considered out of scope are compromised because of poor segmentation methods. Penetration testing is a critical tool for verifying that appropriate segmentation is in place to isolate the cardholder data environment from other networks and to reduce PCI DSS scope. Be sure to take a look at PCI’s new guidance on penetration testing .
If you don’t need it, don’t store it. By doing so, you eliminate any attack potential a criminal may attempt to exploit. Business process may no longer require storage of track data or primary account number (PAN), and you should verify with your financial partners that all the data you are collecting is truly necessary. Also consider alternatives such as tokenization to permanently remove the CHD thus eliminating the attack surface.
Scoping is only good if it’s done right. And, unfortunately, often not enough time is spent on this critical activity. Also important is the due diligence required to continuously monitor the environment. Don’t assume that the environment has stayed the same. Getting scoping right is critical not only to be secure, but also to get the added benefit of easing your compliance efforts.
Troy Leach is the Chief Technology Officer for the PCI Security Standards Council (SSC). In his role, Leach partners with Council representatives, participating organizations and industry leaders to develop comprehensive standards and strategies to secure payment card data and the supporting infrastructure. He will moderate the panel discussion “ PCI: Baseline, not Failsafe ” at the CNP Expo on May 20th at 2:30 p.m.