Friday, June 19, 2009

How to Harness the Power of PCI DSS? Tip #2

Inspired by the panels we did on PCI (here, here), I decided to start a series of posts with tips on harnessing the amazing motivating power of PCI DSS for meaningful security improvements. These tips are most useful for those in the trenches who are required to comply with PCI DSS while keeping the systems running and secure, but maybe do not know how, and not to those who whine, bitch, blog and now Twitter their way to infamy…

So, got a nice heavy PCI hammer? Where do you hit for security?


Tip #2 will again focus on something very basic, non-controversial and – we are in luck! – spelled out very clearly in PCI DSS: namely, NOT ever storing certain data. This requirement is also one of the key components of Phase 1 of PCI DSS Prioritized approach (detailed here)

By the way, did you know that “data deletion” represents one of the simplest-yet-effective information risk reduction methods ever invented by the humankind? :-)

This is exactly why this requirement is so important: it is much easier to delete the data and organize your business process based on not having it rather than protect and secure such data (and, yes, some will point at this fact and say “Security FAIL!”)

So, what data can never, ever, ever, ever, ever, ever be persistently stored if you are to have any hope of PCI DSS compliance for your organization [to the best of my knowledge, “storage” in RAM is not considered storage]? The answer is easy:

  1. Full track data from the magnetic stripe, magnetic stripe image on the chip, or elsewhere
  2. CAV2/CVC2/CVV2/CID code, a 3- or 4-digit value printed on the card (explained for laymen here)
  3. Personal identification number (PIN) or the encrypted PIN block.

Here is a reference from PCI DSS document:


Remember, if you are persistently storing ANY of the above (full track, CVV2, PIN), you are NOT PCI DSS compliant and CANNOT BE PCI DSS validated [not legitimately, at least!]. Also see Visa famous DropTheData site.

Finally, this tip results in a simple action item:

  • Find out if you have such data stored.
  • If there happens to be an active business process that results in such data or that relies on having such data, adjust it.
  • Delete the data.
  • Make sure that no accidental/undocumented storage is taking place.

Enjoy decreased data loss risk, courtesy of PCI DSS :-) Also, please remember that stored of prohibited data killed CardSystems back in 2004 (well, that was one of the things…)

Possibly related posts:

Dr Anton Chuvakin