Historic Data and PCI DSS – is it in scope?

When conducting a PCI DSS assessment it is important to look at the processes that have been in use historically, as well as the payment applications and procedures that are in use today. On occasion, we are confronted with this question – “We have some legacy data that may include payment card numbers but that’s old data, so it shouldn’t matter too much – should it?”

The long and the short of it is that ALL payment card data should be treated as confidential, not just the data that relates to active customers, or that is generated from the current systems. It is worth remembering that it is not just the electronic data that must be included within the scope of a PCI DSS compliance project but any form of cardholder data. This includes all data that may have been retained either on paper, on microfiche, via recorded telephone calls, scanned images of customer correspondence or receipts, database entries, emails, server logs…..you see where we are coming from? There are many different mediums that can be used to retain data and any one of them could be a repository for cardholder information, and hence in scope for PCI DSS compliance.

Now the rules governing the nature of retained personal data are much stricter, and it is becoming more common for the customer to be aware of these issues. Most transaction receipts you see now show the PAN in a truncated format, and it is predominantly down to the PCI DSS that this has happened. This means we can be a little more blasé about the disposal of these receipts, which is no bad thing.

When conducting the scoping exercise for any new PCI DSS assessment project, it is worth looking at all the means of transacting, and not just the ones in place today. There are many processes that may have produced transaction related data included storing the PAN, (and it is this that we are particularly interested in when scoping the Cardholder Data Environment for a PCI DSS assessment). There are a few questions to ask:

• Have payment cards been accepted using a different process in the past?
• If so, has this process generated any data – either on paper or electronically?
• Does this data contain reference to the payment card Primary Account Number (PAN)? • Is this data still required for legal or governance reasons, (check data retention regs)?
• If not – can this data be securely deleted and removed from scope?

If you have arrived at the conclusion that there IS stored historic data, and it needs to be retained, this data will need to be included within the scope of the PCI DSS assessment and treated accordingly.

In my next blog, we will have a look at how best to tackle the issues of secure storage of legacy data and the various methods that can be employed to do this, and remain compliant with the PCI DSS.

Information Security Consultant, SRM's Principal PCI DSS QSA and Payment Card Industry expert, Paul B is a regular contributor to the SRM blog.

Posted 4 years ago on · Permalink