* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project
Where Do You Have Cardholder Data? Branimir Pacar Director of PCI & Payment Services /We are a NASDAQ agile EMEA company/ Cognosec Assesses, Designs, Implements and Manages Cyber Resilient Solutions Where do I have CHD and why is it important? Compliance vs. Security Scope of PCI DSS Requirements The PCI DSS security requirements apply to all system components included in or connected to the cardholder data environment. The cardholder data environment (CDE) is comprised of people, processes, and technologies that store, process, or transmit cardholder data or sensitive authentication data. PCI DSS v3.2, page 10 Compliance vs. Security “Information security, sometimes shortened to InfoSec, is the practice of preventing unauthorized access, use, disclosure, disruption, modification, inspection, recording or destruction of information. It is a general term that can be used regardless of the form the data may take (e.g. electronic, physical).” https://en.wikipedia.org/wiki/Information_security Compliance vs. Security Security should be the goal, Compliance will be a consequence Defining the scope Concepts that always apply: Systems located within the Cardholder data environment (CDE) are in scope Systems that connect to a system in the CDE are in scope In a flat network, all systems are in scope CDE - The people, processes and technology that store, process, or transmit cardholder data or sensitive authentication data. The primary account number is the defining factor for cardholder data. If cardholder name, service code, and/or expiration date are stored, processed or transmitted with the PAN, or are otherwise present in the cardholder data environment (CDE), they must be protected in accordance with applicable PCI DSS requirements Defining the scope Annually and prior to the annual assessment the assessed entity should confirm the accuracy of the scope Identify the existence of all cardholder data in the environment Verify no cardholder data exists outside of the CDE Assessor will validate that the scope of the assessment is accurately determined Identifying cardholder data Manual vs. automated methods Specialized tools: Enterprise Desktop Open source Free … Manual Cooperation between QSA and client Know the environment Trust but verify Manual cardholder data discovery Work together with your QSA QSA is not working against you Use knowledge and experience QSA has QSA is objective about your environment No other information than what you provide Know the environment Start with the purpose and business model Review the cardholder data flow and network diagrams Review the security documentation Identify the technology used in the environment Understand the internal organization Try to resist “Just in case” urge Test and verify Test known locations to verify information is accurate Test connected systems to verified known locations Wisely determine testing sample Address technology specifics for tested systems Perform negative testing Update the documentation Conclusion Invest time and resources to identify CHD in your environment Proper scoping and CHD identification can save you a lot of time and money Don’t hide CHD from the QSA – you are just saving it for someone to take Thank you! Questions?