More Struggles Staying Compliant

I was recently on a conference call with one of our clients.  We are in the middle of conducting their annual PCI compliance assessment.

We were told that they had had an issue with processing of credit cards through one of their locations outside of the Untied States.  This client’s point of sale (POS) environment is consistent throughout the world.  As they were diagnosing the processing problem, application support personnel came across a series of files that contained cardholder data (CHD) in cleartext.  They were shocked, as a couple of years ago, they had requested and received a patch from their POS vendor to address this very problem.

So, what happened?  According to the vendor, the patch received years ago only addressed files named according to the organization’s US file-naming standard and not their international file-naming standard.  So, while all of the US systems were patched, their international systems were not fixed.  They do have a patch for this new problem and are rolling it out to all of the POS systems.

What did this organization learn form this event?

  • The organization admits that its QA testing process was flawed.  The testing was only done in their US environment, not in their international environment as well.  From here on, all testing will be done in both environments.
  • All systems will be scanned for cardholder data (CHD) to ensure that any other CHD can be identified and eradicated.  This scanning will include the QA environment after every test to ensure that new patches are not creating PCI compliance issues.
  • A project is underway to develop a wiping program for this POS environment to ensure that all data in deleted files and slack space from the previous incarnation of the POS solution is removed from these systems.

Complying with the PCI standards is an ongoing process.  It is ongoing because the threat landscape changes every day.  In addition, vendors can create unknown problems with their updates and fixes.  The only way to find these issues is to have a complete testing environment and to conduct complete tests of all solutions that process, store or transmit CHD.  Then going back and making sure that the solution does not leave CHD behind.

PCI compliance requires diligence.  Those of you working in this arena need to explain this to management so that they give you the time for that diligence.


0 Responses to “More Struggles Staying Compliant”

  1. Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


If you are posting a comment, be patient, as the comments will not be published until they are approved.

If your organization has a PCI opportunity, is in need of assistance with a PCI issue or if you would like the PCI Guru to speak at your meeting, you can contact the PCI Guru at pciguru AT gmail DOT com.

I do allow vendors to post potential solutions in response to issues that I bring up in posts. However, the PCI Guru does not endorse any specific products, so "Caveat Emptor" - let the buyer beware. Also, if I feel that the response is too "sales-ee", I reserve the right to edit or not even authorize the response.


March 2009
« Feb   Apr »

Enter your email address to subscribe to the PCI Guru blog and receive notifications of new posts by email.

Join 1,941 other followers


%d bloggers like this: