Why Staying Compliant Can Sometimes Be Difficult

I ran into some situations in the last couple of weeks that are good examples of why organizations need to be diligent in maintaining their PCI compliance and why the annual PCI assessment can assist in that effort.  The reason I bring this up is that I’m starting to hear many organizations pushing back on annual assessments as the economy tanks.

In the first instance, we were assessing an application that we had assessed for the last three years and had found to be PCI compliant each time.  This is a Web-based application that transmits credit cards to a back end solution that then conducts the transaction and generates a receipt that is passed back to the customer.  Last year, the back end application was rewritten to improve its PCI compliance so that a compensating control could be eliminated.  We reviewed the new version of the back end application before assessing the Web-based front end.  After reviewing all of the documentation, we found the back end application to be PCI compliant.  However, when we reviewed the Web application that had not changed, we found an issue.  Unlike in years past, we found credit card numbers in this application’s log file.  Turns out that when the new version of the back end application finds an issue authenticating a credit card, it returned the credit card number back to the Web application which in turn put the information in its log file for later debugging of the problem.  The organization is in the process of correcting this situation.

In the second instance, the organization’s security personnel were conducting a follow up on an issue from our last year’s assessment.  In following up on that issue, they found that a temporary file that was supposed to be deleted at the end of every transaction was not being deleted.  We had investigated the temporary file during the previous year’s review and had confirmed that the file was encrypted and being deleted.  However, between the time of our review and the time of the follow up, something had gone wrong and the temporary file was no longer being deleted.  In fact, it had grown to contain a significant number of credit card numbers.  Worse yet, the file was being backed up unencrypted.  Since the temporary file was never expected to be backed up, they had never ensured that the file would be encrypted on their back ups.  While they have fixed the deletion problem, the data remains on backups and this organization is struggling with how to purge the data off their backups that are required to be retained.

Without diligence, these two organizations would likely have ended up with significant problems resulting in an inability to be PCI compliant.  However, because these issues were uncovered in a timely manner, both organizations have a better than average chance of addressing these issues and maintaining their compliance.


0 Responses to “Why Staying Compliant Can Sometimes Be Difficult”

  1. Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


If you are posting a comment, be patient, as the comments will not be published until they are approved.

If your organization has a PCI opportunity, is in need of assistance with a PCI issue or if you would like the PCI Guru to speak at your meeting, you can contact the PCI Guru at pciguru AT gmail DOT com.

I do allow vendors to post potential solutions in response to issues that I bring up in posts. However, the PCI Guru does not endorse any specific products, so "Caveat Emptor" - let the buyer beware. Also, if I feel that the response is too "sales-ee", I reserve the right to edit or not even authorize the response.


March 2009
« Feb   Apr »

Enter your email address to subscribe to the PCI Guru blog and receive notifications of new posts by email.

Join 1,941 other followers


%d bloggers like this: