As we begin March, hopefully many of you have made a good start on your transition to PCI 3.0. Today we’re going to talk about another important step: validating your Cardholder Data Environment (CDE.) We talked a few weeks ago about defining your CDE and limiting your scope – steps that are critical to beginning your compliance journey.
Now you’ll need to prove and document those boundaries. This isn’t just a smart compliance practice, but a PCI requirement as well. You can’t just explain the boundaries of your CDE; to meet 3.0 standards you need to prove that the boundaries you’ve defined actually exist.
Testing Your Environment
Your first move will be running cardholder data searches. This is important for several reasons – one of which is that organizations often make dangerous assumptions about where their data is and don’t bother to look beyond that. The inconvenient reality is that payment card information often ends up in rogue locations, so you’ll need to search your entire environment both on the systems where you think it exists as well as on more unlikely places.
If you’re wondering how data could end up in atypical places, the answer is very simple: the human element. Employees often create their own processes or habits to get their jobs done in a way that’s outside of policy, but convenient for them. One might put data in an Excel spreadsheet and save that on a local machine. Someone else might be putting full credit card numbers into emails or notes. It’s impossible to predict the random solutions employees will create to make their own jobs easier, so it’s critical to search everywhere. If you don’t yet have a tool you’re happy with for this, check out the options on the market that allow you to search for certain types of data.
This is also the time to examine your entire system, and review your segmentation controls to ensure that they are actually implemented as you’ve described. Remember, you must ultimately prove that you’ve segmented your networks sufficiently, so get on each network and see if you can get to the others. This will tell you if your segmentation controls are working as they should.
Finally, you also have to put some focus on pen testing. Per 3.0, you need to have a documented pen testing methodology to prove that your segmentation approach is successful. If you haven’t actually done a pen test in a while, now is the time to have someone do one, to make sure you’ll have enough time to address any deficiencies that are found. And of course, you’ll need written documentation proving your validation.