Here is a question that comes up from time to time. Particularly because a lot of my clients are remediating their PCI compliance issues by replacing older applications with PCI compliant new ones.
What do I need to do in regards to PCI DSS compliance if I’m replacing an application?
There is no guidance in the PCI DSS regarding the decommissioning of applications that are in-scope. So what should an organization do when they are getting rid of an in-scope application?
The first problem is the application’s cardholder data. Cardholder data usually ends up everywhere, particularly with systems that are not PCI compliant. Cardholder data is not only on hard disks and disk arrays; it is also on backup tapes and other backup media. In the case of point-of-sale (POS) systems, cardholder data can end up on every POS as well as the POS servers.
The bottom line is that you need to track down all of this cardholder data and make sure that you properly dispose of it. The key problem is making sure you have located all of the cardholder data. You should use this opportunity to scan all of the systems to be decommissioned with a tool to locate cardholder data. While this is not necessarily a perfect technique, it will identify all of those systems that likely have cardholder data and those that do not. Those that do have cardholder data will be remediated first. Those that do not have cardholder data will be remediated last.
Since these non-compliant applications typically did not securely store cardholder data, you need to make sure that the data that remains is properly disposed. That means performing Department of Defense (DoD) grade erasing of data from hard disks and tapes. If the hard drives are old and are not going to be reused, then I would recommend contracting with a reputable DoD certified firm to have them degaussed with your tapes. Industrial strength degaussing will usually damage the electronics of the hard drive, so if you intend to reuse the hard drive, do not have it degaussed. If you are going to reuse the hard disks, then they should be erased with a DoD grade disk wiping utility. There are plenty of these available on the Internet.
The next issue is proving that the application is decommissioned. Make sure to document all of the steps you took to ensure that the cardholder data has been removed from all systems. Have management sign off on this documentation so that they are aware of what was done and how it was done. This documentation will be useful for your filing of a Report On Compliance or Self-Assessment Questionnaire as well as should anything happen in the future that comes back to try an haunt you.
Hopefully this will assist those of you that are going through such a process to become PCI compliant.