Decommissioning Applications

Here is a question that comes up from time to time.  Particularly because a lot of my clients are remediating their PCI compliance issues by replacing older applications with PCI compliant new ones.

What do I need to do in regards to PCI DSS compliance if I’m replacing an application?

There is no guidance in the PCI DSS regarding the decommissioning of applications that are in-scope.  So what should an organization do when they are getting rid of an in-scope application?

The first problem is the application’s cardholder data.  Cardholder data usually ends up everywhere, particularly with systems that are not PCI compliant.  Cardholder data is not only on hard disks and disk arrays; it is also on backup tapes and other backup media.  In the case of point-of-sale (POS) systems, cardholder data can end up on every POS as well as the POS servers.

The bottom line is that you need to track down all of this cardholder data and make sure that you properly dispose of it.  The key problem is making sure you have located all of the cardholder data.  You should use this opportunity to scan all of the systems to be decommissioned with a tool to locate cardholder data.  While this is not necessarily a perfect technique, it will identify all of those systems that likely have cardholder data and those that do not.  Those that do have cardholder data will be remediated first.  Those that do not have cardholder data will be remediated last.

Since these non-compliant applications typically did not securely store cardholder data, you need to make sure that the data that remains is properly disposed.  That means performing Department of Defense (DoD) grade erasing of data from hard disks and tapes.  If the hard drives are old and are not going to be reused, then I would recommend contracting with a reputable DoD certified firm to have them degaussed with your tapes.  Industrial strength degaussing will usually damage the electronics of the hard drive, so if you intend to reuse the hard drive, do not have it degaussed.  If you are going to reuse the hard disks, then they should be erased with a DoD grade disk wiping utility.  There are plenty of these available on the Internet.

The next issue is proving that the application is decommissioned.  Make sure to document all of the steps you took to ensure that the cardholder data has been removed from all systems.  Have management sign off on this documentation so that they are aware of what was done and how it was done.  This documentation will be useful for your filing of a Report On Compliance or Self-Assessment Questionnaire as well as should anything happen in the future that comes back to try an haunt you.

Hopefully this will assist those of you that are going through such a process to become PCI compliant.


0 Responses to “Decommissioning Applications”

  1. Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Welcome to the PCI Guru blog. The PCI Guru reserves the right to censor comments as they see fit. Sales people beware! This is not a place to push your goods and services.

December 2009

%d bloggers like this: