Is That Your Data That Just Walked Out the Door?

A 403 Labs QSA, PCI Columnist Walt Conway has worked in payments and technology for more than 30 years, 10 of them with Visa.

There are a couple of lessons all merchants should take from the unauthorized release of confidential diplomatic cables by WikiLeaks. The first is that the use of personal technology—both computing devices and storage media—increases the risk of a data compromise. The Pentagon's practice of banning flash drives didn't stop somebody from bringing in a fake Lady Gaga greatest hits CD (which was the likely attack vector).

Another lesson is that the use of sophisticated personal technology is increasing, and with it comes further risk of a data leak. Many employees are returning to work in this new year with all manner of shiny new laptops, tablet computers, smartphones and other personal devices that Santa dropped off. Many of these devices will connect to your corporate network in some fashion and then to the Internet, where they will send, receive and process E-mail and other files.

From a PCI point of view, these devices increase your risk, and that is why they are already included in PCI 2.0. However, what is new is that with the changes in PCI version 2.0, all this personal technology might expand your PCI compliance effort, too. The reason is that under version 2.0 each merchant needs to "confirm the accuracy of their PCI DSS scope by identifying all locations and flows of cardholder data and ensure they are included in the PCI DSS scope." If you have more devices, you have more endpoints and more possible "locations and flows of cardholder data." Imagine your network diagram if it included every mobile device for every user in your organization.

The outcome is that every merchant and processor will want to document the full range of employee-owned devices that might access, store, process or transmit cardholder data, and then include them in the scope of their PCI assessment. The good news is, the scoping instructions included with PCI version 2.0 (see page 10) identify the steps to determine and document your scope. The bad news is, each step will be affected by the expanded use of these personal technologies.For example, the first and probably most important step is to find all the cardholder data. You must then verify that no data exists outside of the cardholder data environment (CDE). Proving a negative (no other cardholder data exists) is never easy. But verifying that fact in the face of the widespread use of personal technology devices will be that much more difficult. IT managers and maybe their QSAs will need to take the time to verify that they have located all their cardholder data.

A solution that seems to make sense is to update your policies to reflect the new reality and to increase training to enforce those policies. I say this because every security professional knows in their heart that business needs always trump security dictates. Therefore, we need to accommodate these devices while maintaining PCI compliance.

To be sure, many security requirements for personal devices are already addressed in the DSS. For example, Requirement 1.4 states that employee-owned computers that can connect directly to both the Internet and your corporate network need to have a personal firewall (one that the employee cannot disable).

In addition, Requirement 12.3 mandates usage policies for a number of technologies, including remote-access technologies, wireless technologies, removable electronic media, laptops, tablets, personal data/digital assistants (PDAs), E-mail usage and Internet usage. This policy can be a pretty good guide.

It is worth noting that PCI version 2.0 revised a part of Requirement 12.3, and it looks like the Council had the spread of personal technology in the workplace in mind. The requirement (12.3.10) now stipulates that your policy cover the following: "For personnel accessing cardholder data via remote-access technologies, prohibit copy, move and storage of cardholder data onto local hard drives and removable electronic media, unless explicitly authorized for a defined business need." It was those last words about "explicitly authorized" that were added.

Like so much of PCI, this sounds simple. But it can be difficult to implement. I haven't got any magic answers. Still, it seems as though increased employee awareness and specific training that addresses all those new smartphones and tablets will go a long way to meeting this requirement. That training will also go a long way toward making an organization more secure and reducing the chance of a data breach.

What do you think? I'd like to hear your thoughts. Either leave a comment or E-mail me at [email protected].