Although the Payment Card Industry Data Security Standard (PCI DSS) has been in effect for six years, many businesses are still struggling to achieve and maintain their PCI compliance.  Within the UK market, many businesses in the retail and hospitality space have been working on their PCI projects for the best part of four to five years but are yet to achieve full compliance across their businesses. This is down to a variety of reasons but the major challenges have been:

  • The sheer size of the project.  Most retailers have hub and spoke environments where maximum availability was prioritised, ensuring that customers are able to make transactions through their systems and security was often an afterthought.  While this approach works very well for maintaining “uptime” and maximizing payment transactions, it also means that most retailers have very flat networks with little to no segmentation nor security controls.  This often results in the entire network deemed in-scope for PCI DSS, making the PCI DSS project a considerable challenge.
  • Legacy payment systems. Most retailers have an upgrade cycle of five to seven years for their point of sale software to ensure that they derive maximum benefit for their investment.  Payment systems implemented five years ago had considerably less focus on security than they do now, and as a result, these legacy systems tend to store significant quantities of cardholder data in unsecured files around the retailer’s network, often without the retailer’s knowledge.
  • Knowledge of where cardholder data is stored.  More than 90% of the merchants that the Foregenix team has worked with on PCI assessments and forensic investigations over the past four to five years did not explicitly know where they were storing cardholder data in their business.  Although they were often aware of the cardholder data flow on paper and known storage areas (such as standard files on Point of Sale, databases etc), they had no visibility outside of that transaction environment.  Identifying this unknown, unprotected data is the first step towards defining the PCI DSS scope and reducing the risk of a data compromise. Performing this on a regular basis validates the scope of compliance and ensures cardholder is not being inadvertently stored outside of the Cardholder Data Environment.
  • Cost.  Once the scope has been defined, it quickly becomes clear that to apply all of the PCI DSS controls to the entire environment will translate into a very expensive (often prohibitive) project, especially within a traditional retailer or hospitality merchant environment with a flat network.
The Prioritised Approach & Visa TIP
Fortunately, the card schemes and the PCI SSC have recognised some of the challenges that merchants are encountering in becoming compliant.  The PCI SSC has recently released its Prioritised Approach version 2.0 to guide businesses on how to tackle their PCI projects.  Meanwhile Visa recently announced its Technology Innovation Program (TIP) aimed at recognising the investment made by merchants in EMV compliant payment systems. TIP allows merchants to avoid penalties by achieving milestones 1-4 of the Prioritised Approach (see the Visa Europe website for more information).

The Prioritised Approach consists of the following six milestones:

  • Remove sensitive authentication data and limit data retention.
  • Protect the perimeter, internal, and wireless networks.
  • Secure payment card applications.
  • Monitor and control access to your systems.
  • Protect stored cardholder data.
  • Finalise remaining compliance efforts, and ensure all controls are in place.
The above milestones provide a logical approach to achieving PCI DSS compliance and allow businesses to focus on the most important aspects of the process first, which in turn will help them to significantly reduce risk of data compromise with the achievement of each additional milestone.  

Following the Prioritised Approach, the first milestone concerns removing sensitive authentication data and limiting data retention – in other words, do not store any sensitive data post-authorisation; identify the data you are storing and delete what is not needed.  With this being the first step of a PCI DSS project, the PCI DSS scope is then defined as any system that stores, processes or transmits cardholder data, or is able to access those systems.  This, unfortunately, is where the vast majority of PCI DSS projects fail as the majority of businesses do not know exactly where their cardholder data is stored.

The Data Discovery Results
Foregenix recently ran a 5 month cardholder data discovery project across 40 companies, monitoring on average 10 systems per company, and assisted these businesses in identifying the following significant volumes of unprotected cardholder data that they were largely unaware of:

    • over 100 million PANS (primary account numbers).
    • over 3 million instances of Track 2 Data (the magnetic strip on the back of payment cards, if stolen, allows cloning of the cards).
This project was conducted with companies of varying sizes across a number of sectors including acquiring banks, retailers, hospitality and ecommerce merchants.  The systems analysed in the project were servers, laptops and workstations, providing a broad cross-section of systems exhibited in the ‘real-world’ diversity of today’s commerce enabled landscape.

The results were staggering for most of the participants and confirmed that they were storing extremely large volumes of unprotected cardholder data in their business systems.  Empowered with this knowledge, the companies in this project have since cleaned/secured the cardholder data identified within their business systems and now monitor daily/weekly using FScout Enterprise for cardholder data leaks into their business systems. 

The Recommendation – don’t store it, if you don’t need it
The recommendation from the PCI SSC and the card schemes is “if you don’t need it, don’t store it”.  On this basis the secure deletion of unnecessary legacy cardholder data from the systems in this project has enabled the businesses to:
  • Reduce their risk of exposure in the event of a breach or compromise on those systems as there is no longer any data to steal.
  • Reduce their PCI DSS scope significantly to exclude the majority of the systems that should not have cardholder data on them in the first place.

FScout Enterprise currently runs daily in most of the above environments, providing assurance to the security teams by monitoring the “sanitised” systems for any further cardholder data leakage.  Typically, the Foregenix team sees data leakage occurring in the following scenarios:

  • Legacy payment systems that are not PA-DSS certified and thus tend to store unprotected cardholder data.
  • Misconfiguration of payment systems that lead to cardholder data leakage in log files etc.
  • Changes in business processes (either authorised or unauthorised).
  • Malicious behaviour where an entity has been breached and hackers are harvesting the data

In each of the above cases, a daily alert from FScout Enterprise enables the business to react quickly to protect their customer data and manage their risk of exposure.  Foregenix assists clients by providing  guidance on the discovery and monitoring methodology to ensure that they are maximising their risk reduction capabilities while achieving the first milestone of the Prioritised Approach.  Once this has been achieved, the scope is defined and it is possible to then begin securing the environment in a PCI compliant manner and following the remaining steps in the Prioritised Approach.

If you have a security issue, or requirement, please get in touch with us for assistance on:
+44 (0) 845 3096232 or info@foregenix.com.

News

Apply for 30 day trial licence of FScout.
forensics The forensic specialists in EMEA.
compliance We specialise in PCI DSS and PA-DSS.
fscout Identify your unprotected cardholder data.
training-courses PCI DSS, PA-DSS, Security.
fg_logo.png