In September, Antti Rantasaari and I delivered our presentation “Escalating Privileges through Database Trusts” at the OWASP APPSEC 2010 conference in CA. The presentation focuses on how to leverage trust relationships between application, database, and system accounts to gain unauthorized access to systems and sensitive data. For those of you who missed it, OWASP was nice enough to record the presentation and make it available at the following link: Presentation Video. I appreciate the OWASP team taking the time to put together the video, but the slides are a little out of sync. Enjoy!
In continuing with my series addressing common compliance hurdles relating to Payment Card Industry (PCI) requirements, I would like to turn to the topic of data retention. Surprisingly, I have found that many organizations struggle with data retention – not just managing and archiving credit card data but even defining appropriate data retention policies. There seems to be a lot of misinformation or at least misunderstanding out there so hopefully this will help clear things up a bit. Requirement 3.1 of the PCI Data Security Standard (DSS) states that cardholder data storage must be minimized and a policy defining the appropriate retention length must be defined. There may be legal or regulatory requirements relating to data retention that must be adhered to. However, in most circumstances, documents containing full primary account numbers (PANs) need not be retained past 90 days, which is typically when chargebacks or disputes occur. If there is no business need to store cardholder data (for instance, so that a third party can supply access to transaction data and provide a mechanism for disputes and chargebacks), merchants should consider purging or redacting PANs stored both electronically and in hardcopy. Simply put: if you don’t need it, get rid of it. Also, keep in mind that masked or truncated PANs are not considered cardholder data and, as such, are not subject to the PCI DSS and can be stored indefinitely. Therefore, redacting all but the first six and last four digits of the PAN is a common method that organizations use to reduce or eliminate cardholder data while still maintaining the ability to reference a particular card or transaction, if necessary. One common misconception deals with retaining financial records for audits. Many organizations end up keeping paid invoices that include complete credit card numbers for several years. However, this is not usually necessary. Financial auditors are interested in seeing records of revenue and expenses, not individual credit card numbers. In light of this fact, a simple change in business process can often significantly reduce burden associated with attaining and maintaining compliance. When it comes to a remediation strategy, the first step in complying with Requirement 3.1 is to define an appropriate data retention policy that is based on business, legal, and regulatory requirements. This will, of course, vary from organization to organization. However, keep in mind that most business models do not require the retention of full PANs for very long after a transaction. Once an appropriate retention period has been determined, an official policy should be documented. Be sure to include any specific legal or business reasons for the selected retention period, as well as a formal method for disposing of both electronic and hardcopy cardholder data once that period has been reached. Finally, implement the policy and purge historical data that exceeds the newly defined maximum retention period. Remember that, in most cases, redacting PANs by blacking them out with a marker, cutting off the credit card section of a form and shredding it, or truncating data in a database is an effective way to reduce the cardholder data that is retained, reduce the risk of a credit card data breach, and meet the intent of PCI requirements.
Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.
YouTube session cookie.
Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.
Analytics cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.
Preference cookies enable a website to remember information that changes the way the website behaves or looks, like your preferred language or the region that you are in.
Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
Cookies are small text files that can be used by websites to make a user's experience more efficient. The law states that we can store cookies on your device if they are strictly necessary for the operation of this site. For all other types of cookies we need your permission. This site uses different types of cookies. Some cookies are placed by third party services that appear on our pages.
Discover why security operations teams choose NetSPI.