I ran into some situations in the last couple of weeks that are good examples of why organizations need to be diligent in maintaining their PCI compliance and why the annual PCI assessment can assist in that effort. The reason I bring this up is that I’m starting to hear many organizations pushing back on annual assessments as the economy tanks.
In the first instance, we were assessing an application that we had assessed for the last three years and had found to be PCI compliant each time. This is a Web-based application that transmits credit cards to a back end solution that then conducts the transaction and generates a receipt that is passed back to the customer. Last year, the back end application was rewritten to improve its PCI compliance so that a compensating control could be eliminated. We reviewed the new version of the back end application before assessing the Web-based front end. After reviewing all of the documentation, we found the back end application to be PCI compliant. However, when we reviewed the Web application that had not changed, we found an issue. Unlike in years past, we found credit card numbers in this application’s log file. Turns out that when the new version of the back end application finds an issue authenticating a credit card, it returned the credit card number back to the Web application which in turn put the information in its log file for later debugging of the problem. The organization is in the process of correcting this situation.
In the second instance, the organization’s security personnel were conducting a follow up on an issue from our last year’s assessment. In following up on that issue, they found that a temporary file that was supposed to be deleted at the end of every transaction was not being deleted. We had investigated the temporary file during the previous year’s review and had confirmed that the file was encrypted and being deleted. However, between the time of our review and the time of the follow up, something had gone wrong and the temporary file was no longer being deleted. In fact, it had grown to contain a significant number of credit card numbers. Worse yet, the file was being backed up unencrypted. Since the temporary file was never expected to be backed up, they had never ensured that the file would be encrypted on their back ups. While they have fixed the deletion problem, the data remains on backups and this organization is struggling with how to purge the data off their backups that are required to be retained.
Without diligence, these two organizations would likely have ended up with significant problems resulting in an inability to be PCI compliant. However, because these issues were uncovered in a timely manner, both organizations have a better than average chance of addressing these issues and maintaining their compliance.