Decommissioning Applications

Here is a question that comes up from time to time.  Particularly because a lot of my clients are remediating their PCI compliance issues by replacing older applications with PCI compliant new ones.

What do I need to do in regards to PCI DSS compliance if I’m replacing an application?

There is no guidance in the PCI DSS regarding the decommissioning of applications that are in-scope.  So what should an organization do when they are getting rid of an in-scope application?

The first problem is the application’s cardholder data.  Cardholder data usually ends up everywhere, particularly with systems that are not PCI compliant.  Cardholder data is not only on hard disks and disk arrays; it is also on backup tapes and other backup media.  In the case of point-of-sale (POS) systems, cardholder data can end up on every POS as well as the POS servers.

The bottom line is that you need to track down all of this cardholder data and make sure that you properly dispose of it.  The key problem is making sure you have located all of the cardholder data.  You should use this opportunity to scan all of the systems to be decommissioned with a tool to locate cardholder data.  While this is not necessarily a perfect technique, it will identify all of those systems that likely have cardholder data and those that do not.  Those that do have cardholder data will be remediated first.  Those that do not have cardholder data will be remediated last.

Since these non-compliant applications typically did not securely store cardholder data, you need to make sure that the data that remains is properly disposed.  That means performing Department of Defense (DoD) grade erasing of data from hard disks and tapes.  If the hard drives are old and are not going to be reused, then I would recommend contracting with a reputable DoD certified firm to have them degaussed with your tapes.  Industrial strength degaussing will usually damage the electronics of the hard drive, so if you intend to reuse the hard drive, do not have it degaussed.  If you are going to reuse the hard disks, then they should be erased with a DoD grade disk wiping utility.  There are plenty of these available on the Internet.

The next issue is proving that the application is decommissioned.  Make sure to document all of the steps you took to ensure that the cardholder data has been removed from all systems.  Have management sign off on this documentation so that they are aware of what was done and how it was done.  This documentation will be useful for your filing of a Report On Compliance or Self-Assessment Questionnaire as well as should anything happen in the future that comes back to try an haunt you.

Hopefully this will assist those of you that are going through such a process to become PCI compliant.

Advertisement

When A Business Fails, Where Does The Data Go?

When Circuit City went out of business recently, where did all of their data go?

I have seen a couple of articles lately on this and thought it would make a good discussion topic in light of PCI compliance and the fact that this topic is not discussed by the PCI DSS.  Given the economic contraction we are in, this will likely become a big point of discussion for the PCI SSC and the card brands.  I have also been part of a couple of going out of business shutdowns, so I can give you some first hand experience of what can happen.

In the case of Circuit City, Systemax, Inc., owners of the TigerDirect and CompUSA brands purchased the online assets of Circuit City and the right to use the Circuit City logos, trademarks and other intellectual property.  However, the Circuit City online presence was only a portion of the total automated presence of Circuit City.  What happened with all of the transaction data from Circuit City’s brick and mortar stores?  From the news releases, it is unclear what happened to the data generated by the stores, so time will tell if this data was handled properly.

From my own experience, what happens to an organization’s data when it ceases to be an organization can be haphazard at best.  The reason is that many of the key people that know where all of the data resides have usually left by the time the liquidation team arrives.  For most organization of reasonable size, documentation is usually available, but the necessary detail to point out non-obvious locations may not be in any of the available documentation.  The reason for the gaps in documentation is not deliberate or for job security.  It typically occurs because people forget all the details unless they are prompted.  This is why professional documentation analysts can be invaluable because they are trained to dig out this level of detail for documentation.  Unfortunately, most organizations cannot afford this cost and, as a result, the documentation does not contain all relevant details.

While data obviously resides on servers and data storage systems, organizations can have off-site storage as well as numerous other locations where data can be stored.  I had an organization that had data stored at three different off-site storage vendors.  The reason was that they had had four different CFOs in the last three years and three of those individuals changed off-site storage vendors for reasons of cost and level of comfort with the vendor.  By the time I got there, I was only able to find two of those vendors as they were still transitioning to the new vendor.  I got lucky about the other vendor when I happened to run into a former employee who let me know about the other vendor during our conversation.  Had I not had this fluke of a run in, I would have never known about the third vendor.

Then there is the documentation related to the applications that store data.  It is difficult enough when the business is running to get people to determine what applications store PCI in-scope data, let alone other personally identifiable information (PII).  However, it is 100 times more difficult when a business is going out of business to locate the important data to ensure that it is handled properly.  Even when a business is going out of business, there is certain data that still needs to be retained for historical or customer service purposes.  While you do the best you can to get it all, I will guarantee you that you will miss something.

And retaining data is just not about doing back ups.  You also need to capture the operating system, system software such as any RDBMS and the application software.  After all, if you only have the data, how do you make heads or tails out of it if you cannot restore the application?  As a result, you need the application and its operating environment in order to ensure you can get at the data intelligently.  However, because of hardware changes, your ability to recover may be severely limited or may become impossible.

Once the data that needs to be retained has been captured and backed up, it is time to properly get rid of the rest of the data by ensuring that data that can be destroyed is properly destroyed.  Just going through and deleting files is not good enough.  If the hard drives will not be sold or fail after being powered down, then they should be physically destroyed.  If the hard drives will be sold for reuse, you need to follow the Department of Defense National Industrial Security Program Operating Manual (NISPOM) standard 5220-220M that states:

“Overwriting is a software procedure that replaces the data previously stored on magnetic storage media with a predefined set of meaningless data.  Overwriting is an acceptable method for clearing.  Only approved overwriting software that is compatible with the specific hardware intended for overwriting will be used.  Use of such software will be coordinated in advance with the Customer.  The success of the overwrite procedure will be verified through random sampling of the overwritten media.  The effectiveness of the overwrite procedure may be reduced by several factors: ineffectiveness of the overwrite procedures, equipment failure (e.g., misalignment of read/write heads), or inability to overwrite bad sectors or tracks or information in inter-record gaps.  To clear magnetic disks, overwrite all locations three (3) times (first time with a character, second time with its complement, and the third time with a random character). Items which have been cleared must remain at the previous level of classification and remain in a secure, controlled environment.”

There are all sorts of shareware programs available for all platforms for conducting a NISPOM-compliant disk wiping programs.  So, there is no excuse for not properly wiping the drives before you sell them off.  While hard drives can be degaussed, I have found that the degaussing process can sometimes cause the controller board or other electronics of the hard drive to fail.  So, if you are reselling the hard drives, I recommend using a DoD-compliant wiping program to ensure that the hard drive is still in working order after the data is destroyed.

For magnetic tape, you need to either degauss or destroy the tapes.  If the tapes will not be resold, then they should be physically destroyed.  If they will be resold, I highly recommend hiring a professional company to degauss the tapes before you resell them.  Degaussing is not just running the tapes past a magnet a couple of times.  It requires professional degaussing equipment that costs tens of thousands of dollars to ensure that the magnetic field is strong enough to wipe the bits on all recording surfaces.