Truvantis Blog

Preventing Scope Creep in PCI Compliance

QSAs have to validate the scope of a PCI assessment. It's one of the biggest areas of contention, but limiting scope is of paramount importance to reducing the complexity of an assessment. One of the ways in which QSA's are encouraged to validate scope is to have the client run a cardholder data (CHD) discovery tool over the entire environment (not just the expected Cardholder Data Environment (CDE)), to discover any unexpected CHD and either bring those people, processes and tools into the scope, or get them excluded and their access to CHD removed.

We were told in the PCI Qualified Security Assessor (QSA) class that a common area for clients to overlook is the requirement for redaction of any inadvertent CHD. For instance, customers sending mail of the form “please bill my CC “, or, to a hosting provider's helpdesk "I'm having trouble accessing this database (full of CHD), please help", can bring mail servers and recipients, or helpdesk staff respectively, into the scope of a PCI assessment and make it more complicated than it needs to be. PCI 3.1 added SMS devices explicitly to the possibilities for unauthorized collection and storage of CHD. Sections 3.1.b and 4.1.a of the PCI DSS standard are highlighted as very easy ones to overlook when determining scope, with “for all locations of CHD” being the operative phrase.

If the recipient of an "unexpected" set of CHD, actually acts on the request or data, by charging an amount to the card given, they have created a de facto process which is not documented, monitored, under change control, or auditable in any of the other ways that PCI compliance requires. Plus that CHD in an e-mail or SMS is unlikely ever to be masked or deleted, further expanding the possibilities of compromise in a breach.

A simple test is to send yourself e-mail, from outside your perimeter, and another from within it, containing a dummy card number (with and without an expiration date) and watch how those mails are processed. Best practice has a tool that blocks the offending mail at the mail gateway and sends a warning back to the sender that they are being inappropriate, and sends another notification to the intended recipient that inadmissible content was blocked in an email from the named sender. That way either side can initiate remedial actions.

Another frequent area of surprise in assessments is to discover spreadsheets, or other unstructured data files, full of unredacted or unmasked CHD. Therefore a pre-assessment test, that can assist with ensuring that your scope isn't creeping outwards, is to run a CHD discovery tool. Some tools, while having impressively long lists of pre-programmed file extensions to include in their search for CHD, still manage to miss some obvious ones such as .csv, .iso, .tar, .rar, .zip, .7z, and any flat file types such as databases, and all the variants of .doc and .xls. We strongly advise looking at the pre-programmed list and adding in any file types commonly found in your organization. Unfortunately, these tests generate lots of false positives, so allow enough time to research them all and ensure that that there are no real positive results. The QSA is likely to request the the results of that test to satisfy requirement 4.1.a in the Report on Compliance.

Subscribe to Email Updates

Recent Posts

Contact Us