An important part of any PCI compliance program is to establish where in your environment card data is stored. To facilitate this, automated searches of computer systems are often undertaken to find data that contains numeric strings that have the characteristics of payment card data. Anyone who has undertaken such searches knows that the results have to be carefully reviewed to identify false positives. Whilst you certainly want to make sure any discovered card data is handled correctly, equally you want to make sure that any false positives which may be essential for the running of your business are not unnecessarily deleted or redacted.
What should we be searching for?
As searching systems for card data is time consuming, and have the potential for business disruption, organisations tend to perform searches on selected systems that they believe have the potential to contain card data.
Naturally, those searches tend to focus on systems that are configured to store or process card data. Whilst this is a wise approach, it is not necessarily the optimum strategy for identifying systems that contain card data. To understand how things could go wrong, it is worthwhile to think like a programmer. Many programs require user input, and if the user inputs invalid data, then this could have consequences for the running of the program. In fact, hackers can use this technique to try and change the intended behaviour of program to gain access to computer systems. Even non-programmers may be familiar with the mantra “always validate user input”, which involves running code to check that the user input is of a type expected by the software.
How does this approach help with scanning systems for card data?
You have to consider which systems accept any user input from your customer base. Do you have customer care helplines which allow customers to leave recorded messages? Imagine a caller who leaves a message regarding a product that they bought:
“Oh hi, my name is John Doe, I bought a widget from your website yesterday, if it helps, I bought the widget with my credit card, the number is #####################, I have a question about the widget....”
This is not, by any means, an unusual situation; anyone who has done in-depth scanning for card data can testify that this is fairly common. The situation is even worse for web forms. If you have any type of “Contact Us” web page that accepts user input, you should conduct card scans on the web server that hosts such pages or the databases that store the user input. You may be very surprised by the results! Even web forms where each field is strongly labelled to show what type of data is expected is not immune.
Inexperienced web users, or customers who are in a hurry, regularly input their bank card number in a field clearly labelled “Phone Number”, even on web forms that have no relation to any purchasing. End users seem to want to provide as much information as possible in the belief that this will speed up their enquiry; unfortunately the information that they supply is often their bank card details.
Of course, the data from these web pages is not expected to contain bank card details, thus is not stored or handled in line with PCI guidelines by the organisation receiving the data. Once the data reaches the receiving organisation, it is often stored in databases, then copied, unencrypted, into spreadsheets and emailed to other employees or managers. This of course constitutes a breach of PCI guidelines, through no fault on the part of the company handling the data.
These type of situations can be reduced or eliminated by simply understanding the scope of the problem and putting in the necessary controls.
Firstly, you should ensure that any web forms on your public facing systems validate user input. They should explicitly check that the user input does not have the characteristics of card data.
Secondly, you should conduct card scanning exercises on environments that receive, process or store data that is input by your customer base, even on systems that are not designed to process card data. Most organisations provide information security training to their staff. If your organisation stores or processes PCI data, you should seriously consider integrating PCI compliance awareness into those training programmes.
To contact Nettitude's editor, please email firstname.lastname@example.org.