Archive for March 27th, 2009

27
Mar
09

More Struggles Staying Compliant

By PCIGuru Leave a Comment
Categories: PCI DSS
Tags: ,

I was recently on a conference call with one of our clients.  We are in the middle of conducting their annual PCI compliance assessment.

We were told that they had had an issue with processing of credit cards through one of their locations outside of the Untied States.  This client’s point of sale (POS) environment is consistent throughout the world.  As they were diagnosing the processing problem, application support personnel came across a series of files that contained cardholder data (CHD) in cleartext.  They were shocked, as a couple of years ago, they had requested and received a patch from their POS vendor to address this very problem.

So, what happened?  According to the vendor, the patch received years ago only addressed files named according to the organization’s US file-naming standard and not their international file-naming standard.  So, while all of the US systems were patched, their international systems were not fixed.  They do have a patch for this new problem and are rolling it out to all of the POS systems.

What did this organization learn form this event?

  • The organization admits that its QA testing process was flawed.  The testing was only done in their US environment, not in their international environment as well.  From here on, all testing will be done in both environments.
  • All systems will be scanned for cardholder data (CHD) to ensure that any other CHD can be identified and eradicated.  This scanning will include the QA environment after every test to ensure that new patches are not creating PCI compliance issues.
  • A project is underway to develop a wiping program for this POS environment to ensure that all data in deleted files and slack space from the previous incarnation of the POS solution is removed from these systems.

Complying with the PCI standards is an ongoing process.  It is ongoing because the threat landscape changes every day.  In addition, vendors can create unknown problems with their updates and fixes.  The only way to find these issues is to have a complete testing environment and to conduct complete tests of all solutions that process, store or transmit CHD.  Then going back and making sure that the solution does not leave CHD behind.

PCI compliance requires diligence.  Those of you working in this arena need to explain this to management so that they give you the time for that diligence.

Announcements

This is a test to see how often or if this Announcements column is read. As of May 2013, the PCI Guru became a “free agent” and is looking for a new Qualified Security Assessor Company (QSAC) or a company that would like to bring their PCI compliance efforts in-house with an Internal Security Assessor (ISA). In the meantime, the PCI Guru is doing contract work with organizations having issues achieving PCI compliance. If your organization has an opportunity or is in need of assistance, contact the PCI Guru at pciguru AT gmail DOT com.

Calendar

March 2009
M T W T F S S
« Feb   Apr »
 1
2345678
9101112131415
16171819202122
23242526272829
3031  

Enter your email address to subscribe to the PCI Guru blog and receive notifications of new posts by email.

Join 664 other followers

Follow

Get every new post delivered to your Inbox.

Join 664 other followers