With the release of PCI DSS 2.0 comes a new requirement – verifying that you’ve correctly identified the scope of your cardholder data environment. The PCI DSS compliance community believes, as a general principle, that you should limit the scope of your cardholder data environment to the greatest extent possible. This not only reduces the amount of work you will need to do to comply with the PCI DSS standard, but also reduces the overall risk to your organization by limiting complexity.
When a Qualified Security Assessor (QSA) prepares a Report on Compliance (RoC) for your company, they first must identify the scope of their assessment. They’re required to document that they’ve verified your approach in four ways. PCI DSS 2.0 states that they must verify:
- The methods or processes used to identify and document all existences of cardholder data
- How the results were evaluated and documented
- How the effectiveness and accuracy of the methods used were verified
- That the assessor validates that the scope of the assessment is accurate and appropriate
As you prepare your own compliance plan, you should engage in these steps yourself, to ensure that you’ll be ready when the QSA arrives.
Using an Assessment Tool
In working with my clients, I’ve found that the easiest way to verify scope is to search for the presence of cardholder data outside of the defined PCI DSS scope. My technique for doing this is to install a tool on all of the organization’s systems that searches for and reports the presence of credit card numbers.
You have a few options here:
- Use a commercial tool. This is, by far, the easiest approach. While there are a number of very expensive data loss prevention tools available on the market, my preferred choice is IdentityFinder. This is an easy-to-use desktop tool that reports information in a way that users can easily interpret and remediate. It also reports data back to a central console, providing you with administrative oversight.
- Use a free tool. There are some open-source tools available that perform similar tasks. These include Cornell University’s Spider and the SENF Sensitive Number Finder from the University of Texas. While these will save you a few bucks, they’re much less user friendly and lack any centralized administration. I strongly encourage you to go the IdentityFinder route.
- Brew your own. If you have too much time on your hands, you can try building your own tool. If you decide to go this route, you probably want to read more about the Luhn algorithm and how credit card numbers are constructed to help limit your false positive rate.
As you’ve probably figured out by this point, I’m a strong proponent of the commercial tool option on this front. I like the ability to set up IdentityFinder and let it do its thing. Once you sort through the initial results (which can be time consuming), you can leave it alone until it triggers an alert that requires investigation.