Blog Post
A quick guide to data discovery for QSAs
PCI DSS 4.0.1 is the latest evolution of the card data security standard that has revolutionized the payments industry. Of the 64 controls introduced at the release of PCI DSS v4.0, eight are directly supported by data discovery. In this post, we'll provide a quick guide to data discovery for PCI QSAs.
QSAs are familiar with recommending data discovery as a first step towards compliance for many organizations, helping to establish the initial scope and define the cardholder data environment (CDE). And QSAs are also used to managing the annual task of revalidating a client’s scope during their annual assessment. Too often, that has been an effort led by the assessor as they’re about to go onsite. This is set to change since the release of PCI DSS 4.0, which made scoping the direct responsibility of the merchant or service provider under requirement 12.
Data discovery scanning has the potential to support compliance with 27 controls across four requirements of the new standard. As well as explaining how, this guide explains how PCI QSAs can use discovery scanning to facilitate a more efficient and effective assessment process.
Key controls supported by data discovery for QSAs
The table below provides a summary of the key PCI DSS controls supported by data discovery:
Requirement 1: Install and maintain network security controls | |
1.2.3. 1.2.4. | Data discovery scanning can be used to validate the network boundaries of the CDE, as well as demonstrating that data flows map account data accurately. |
Requirement 3: Protect stored account data | |
3.2.1. 3.3.1. 3.3.2. 3.3.3. 3.4.2. | Data discovery scanning identifies any cardholder data including sensitive authentication data wherever it is stored. Periodic discovery scanning can be used to confirm that data has been deleted when it has exceeded its retention period. Organizations that store sensitive authentication data must be able to verify that it is removed following authentication, or when no longer required. |
Requirement 6: Develop and maintain secure systems and software | |
6.5.2. 6.5.5. | Verifying that a significant change has not impacted scope boundaries, and that CHD is not present in non-production environments is supported by data discovery scanning. |
Requirement 12: Support information security with organizational policies and programs | |
12.4.2. 12.5.1. 12.5.2. 12.5.3. 12.10.7. | Data discovery scanning can be used to confirm that operational procedures involving cardholder data are being followed so CHD remains in the CDE. As part of periodic scope revalidation and following organizational change, data discovery scanning is essential to confirm in-scope systems, network boundaries, data flows and data repositories. Advanced discovery solutions support remediation-in-place for data found in unexpected locations. |
Requirement 1: Install and maintain network security controls
Supported controls: 1.2.3., 1.2.4
For organizations: Data discovery scanning helps organizations define the network boundaries of the CDE, identifying in-scope system component and confirming data flows for their card handling processes.
For assessors: Reports generated from scans can be used as documented evidence validating the accuracy and completeness of network and data flow diagrams, as well as asset inventory lists, locations of stored data and more.
Requirement 3: Protect stored account data
Supported controls: 3.2.1., 3.3.1. (3.3.1.1.–3), 3.3.2., 3.3.3., 3.4.2.
For organizations: Organizations need to know where their data is to be able to protect it. Periodic data discovery scanning helps them identify their data stores and identify if it appears in unexpected locations. This is particularly important for stored account data and sensitive authentication data retained prior to authorization.
For assessors: Discovery scans are often used as a first step to establish a client’s PCI DSS scope, but as organizations change over time, periodic scanning helps provide assurance that locations of data are known and protected appropriately. Scan reports identify and confirm all locations of stored account data.
Requirement 6: Develop and maintain secure systems and software
Supported controls: 6.5.2., 6.5.5.
For organizations: After a major change, such as a migration of an in-scope system, best practice should include a targeted data discovery scan to confirm that any changes to PCI DSS scope are understood and recorded in updated network and data flow diagrams. Discovery scanning of non-production environments can be used to confirm that live PANs are not present in these locations.
For assessors: A targeted discovery scan report will demonstrate whether there has been any affect on stored account data and how these changes should be documented in network and data flow diagrams. Depending on the nature of the change, scan reports may simply demonstrate that no updates to documentation are required. This is still useful evidence when it comes to assessment. Reports from scans completed against non-production environments can be used to validate the absence of live PAN data from these locations.
Requirement 12: Support information security with organizational policies and programs
Supported controls: 12.4.2. (12.4.2.1.), 12.5.1., 12.5.2. (12.5.2.1.), 12.5.3., 12.10.7.
For organizations: PCI DSS 4.0 makes scope revalidation part of requirement 12 for the first time. Merchants need to verify their scope at least once every 12 months and service providers every 6 months. Data discovery scanning can help automate this process and ad hoc, targeted scans can be run as needed. More frequent scanning using advanced discovery solutions can support the identification and remediation of account data outside expected locations. It can also be used to verify that any remediation following an incident has removed any rogue data.
For assessors: Data discovery scan reports that clearly identify the locations of card data help when validating a client’s scope. Using client scan reports, assessors can evaluate documented data flows, network diagrams and inventory lists. Incident response to account data found in unexpected locations can be initiated and later closed with evidence from pre- and post-event discovery scans.
Appendix 3: Designated Entity Supplemental Validation (DESV)
Supported controls: A3.2.1., A3.2.2., A3.2.3, A3.2.5. (A3.2.5.1–2), A3.2.6., A3.3.3.
For organizations: The DESV requires eligible organizations to confirm their scope every three months, following changes (confirming scope impact assessment) and after any organizational change. Scope revalidation must use an effective data discovery methodology. Data discovery scanning solutions are an efficient way to achieve this in a comprehensive, automated way. Using advanced discovery solutions, organizations can respond to any findings using inbuilt remediation capabilities.
For assessors: Discovery reports provide evidence that organizations are using an appropriate and effective data discover methodology. Console settings can be used to verify the configuration of the solution and the scan frequency. Reports will also demonstrate any remediation activity performed by the tool where data was found outside the client’s scope, identifying potential weaknesses that may need to be addressed.
Data discovery for the Report on Compliance
The Executive Summary of the Report on Compliance (ROC) requires extensive documenting of the client’s PCI DSS scope for assessment. Responsibility for establishing and defining the scope is that of the client, but assessors must validate the accuracy of this for the assessment. However, it’s not unheard of for QSAs to undertake full scope validation including data discovery as part of this process.
The DESV mandates the use of an effective data discovery methodology such as data discovery scanning as part of periodic scope revalidation. While the DESV isn’t applicable to all organizations, it can be used as a best practice model. Data discovery scans performed by the client as part of their ongoing compliance activities can be used to verify their documented scope — identifying in-scope systems, locations of stored account data, network boundaries and more.
As assessors, the ability to sample small parts of the client’s network using data discovery methods — particularly areas excluded from scope — may be useful. Scripts and RegExes are often used for this, but there are downsides to these if they are not written well. If discovery scanning hasn’t be performed by the client as part of their scoping process, it may raise questions about the accuracy of their documentation. Using a lightweight and unobtrusive discovery solution, such Ground Labs Enterprise Recon PCI or Card Recon, assessors can evaluate the client’s scope and documentation without undue delays to the assessment process.
Ground Labs’ specialist PCI DSS data discovery solutions take the guesswork out of compliance. With scalable solutions to meet your needs, Grounds Labs is the discovery partner you need today. Book a demonstration today.