Volume 1 Issue: 6
|
November 2007 |
|
Welcome to The Aegis, a monthly newsletter published by The Aegenis Group. This month's focus is on call centers and back-up media. These are common areas of misunderstanding for the industry and can case a great deal of confusion, and expense, if not properly understood. This month's issues seeks to shed some light on how data protection may be addressed relative to these subjects.
The Aegenis Group encourages you to forward this newsletter to anyone that might be interested in the information that it contains. |
The Protection of Archived Data
Must it all be rendered unreadable?
Many companies are struggling with how to secure backup tapes that are stored in secure offsite facilities. PCI DSS Requirement 3.4 states that all Cardholder Data (PAN) must be rendered unreadable when stored. To meet the "letter of the law," archived backups must be encrypted in order to be considered compliant.
This is a clear example of a case in which the idealism of the PCI DSS and the objectives of the program are not perfectly in sync. We have heard of cases where the QSA has forced their client to remove all backup media from storage and encrypt them, only to return the media to the secure storage facility. From a risk management perspective it does not make much sense to ask a client to remove backup media from a secure facility where it is not accessible from the network only to encrypt and return to storage.
This is one of those requirements where compensating controls are frequently used. As in any case in which there is some uncertainty as to the acceptability of controls, ensure you work with your acquirer. However, in most cases, simply ensuring that the backup media is stored in a manner compliant with PCI DSS Requirement 9, which pertains to physical security, will enable the company to be compliant and will compensate for the lack of encryption. |
|
|
Aegenis Tips & Tricks
Call Centers and Compliance
During the past 12 months, the issue of cardholder data retained in voice recordings has been a difficult question.
The scenario plays out as such. Merchant X outsources call center support to Company Y. Company Y records all customer calls including those in which purchases are made. During the course of the conversations, the Cardholder Name, Primary Account Number, and CVV2 (or equivalent), are recorded. The question now becomes; can this data be retained, and if so must it be encrypted?
- PCI DSS Requirement 3.2 states that sensitive authentication data must never be stored subsequent to authorization. Recording the CVV2 is a direct violation of this requirement and one of the areas in which compensating controls cannot be used.
PCI DSS Requirement 3.4 states that all Cardholder Data (PAN) must be rendered unreadable when stored. Recording the PAN during a customer service call would make the company non-compliant with this requirement, as well.
To address this situation take the following steps:
1. Email the PCI SSC at: info@pcisecuritystandards.org and ask for their position statement on voice recordings of cardholder data. This will provide an interpretation of the specific requirement.
2. Contact your acquirer as soon as possible to understand their position on the requirement. As the acquirers are responsible for the compliance of their merchants they have to assume the risk and as such may have differing views from those of the PCI SSC.
In general, physical protections can be applied if the recordings are linear or analog. In short, if there is a way to remove or encrypt the information the company has an obligation to do so. If it is an analog recording it can generally be protected by physical means. The most important step, though, is to check with your acquirer. |
|
|
| Company Profile
GSI Hosting: A Compliant Hosting Environment |
| The Aegenis Group has had the privilege of examining many produts and services to determine their impact on compliance. As a service to our readers, The Aegenis Group will occassionally profile those companies to increase awareness of solutions that will enable compliance. The first such company to be profiled is GSI Hosting.
About GSI Hosting:
GSI's CompliantHost.com brand offers a mature ITIL (Information Technology Infrastructure Library) managed hosting service structure that includes stringent change management controls, comprehensive system operating procedures, and a mature operating framework to help your organization achieve and maintain compliance with PCI, CISP, SDP, Sarbanes Oxley, SAS70-Type II or HIPAA.
GSI has developed a mature implementation and datacenter migration strategy to enable you to smoothly transition your IT operations into one of GSI's facilities, while at the same time bringing your systems into compliance with the latest security and IT operating standards. GSI Hosting is listed as a CISP-compliant service provider and undergoes PCI DSS assessments annually.
Aegenis Relationship:
The Aegenis Group assessed the GSI Hosting environment and their services to evaluate their impact on PCI DSS compliance. The finding of the evaluation was that GSI Hosting and their services were able to support the PCI DSS Compliance of their customers. The Aegenis Group created a paper that described the manner in which GSI Hosting addresses both their own compliance and that of their customers. To read the paper, click here. |
| Industry Events and Happenings |
|
Consumer Data Security Executive Meeting - November 15-16 in Las Vegas, NV NACHA The Institute for International Payments - November 27-29 in Atlanta, GA
Source Media Conference/Tech Forum for Banks - December 2-4 in Phoenix, AZ
| |
|
About The Aegenis Group
The Aegenis Group is dedicated to helping companies navigate the choppy waters of data security, information risk, and privacy regulation. The Aegenis Group believes that the ability to understand not just the regulatory mandates themselves, but their total impact on the business environment can act as a compelling tool for business enablement. From understanding the ways in which your products and services can protect sensitive data to making the right compliance decisions for your business environment, The Aegenis Group can assist your company in facing the risks associated with an increasingly complex landscape of the business world.
Sincerely,
The Aegenis Group
|
|
|
|
| Aegenis Client Advisory Council (ACAC) |
| If you would like to have input on new products and services for the Payment Card Industry, join the Aegenis Client Advisory Council (AC2). Take part in anonymous product and messaging surveys that can impact the way that vendors serve your market's needs. Your information will not be provided to vendors. For more information send us an email at info@aegenis.com. |
|
| Upcoming Aegenis Events
|
Consumer Data Security Executive Meeting Nov 15-16 Las Vegas, NV |
|
| Read Articles by The Aegenis Group |
|
The Aegenis Group are frequently writers, as well as speakers in the industry. Here are links to recent articles written by Principals of The Aegenis Group:
Dr. Mark frequently writes for Transaction World. Access her articles here.
|
| Miss an Issue of The Aegis? |
| The Aegenis Group now posts archived versions of the newsletter on the website. To see past issues of The Aegis, click here. |
|
|
|
