I was recently on a conference call with one of our clients. We are in the middle of conducting their annual PCI compliance assessment.
We were told that they had had an issue with processing of credit cards through one of their locations outside of the Untied States. This client’s point of sale (POS) environment is consistent throughout the world. As they were diagnosing the processing problem, application support personnel came across a series of files that contained cardholder data (CHD) in cleartext. They were shocked, as a couple of years ago, they had requested and received a patch from their POS vendor to address this very problem.
So, what happened? According to the vendor, the patch received years ago only addressed files named according to the organization’s US file-naming standard and not their international file-naming standard. So, while all of the US systems were patched, their international systems were not fixed. They do have a patch for this new problem and are rolling it out to all of the POS systems.
What did this organization learn form this event?
- The organization admits that its QA testing process was flawed. The testing was only done in their US environment, not in their international environment as well. From here on, all testing will be done in both environments.
- All systems will be scanned for cardholder data (CHD) to ensure that any other CHD can be identified and eradicated. This scanning will include the QA environment after every test to ensure that new patches are not creating PCI compliance issues.
- A project is underway to develop a wiping program for this POS environment to ensure that all data in deleted files and slack space from the previous incarnation of the POS solution is removed from these systems.
Complying with the PCI standards is an ongoing process. It is ongoing because the threat landscape changes every day. In addition, vendors can create unknown problems with their updates and fixes. The only way to find these issues is to have a complete testing environment and to conduct complete tests of all solutions that process, store or transmit CHD. Then going back and making sure that the solution does not leave CHD behind.
PCI compliance requires diligence. Those of you working in this arena need to explain this to management so that they give you the time for that diligence.