As I mentioned in my PCI 2.0 post, one of the new version’s most significant changes is that organizations now must not only confirm that they know where all their cardholder data is, but document how they know this and keep it up to date between assessments.
You can do this manually, for now, but I suspect that won’t work except in the most basic environments. The rest of you will probably be looking at using Data Loss Prevention for content discovery.
Why DLP? Because it’s the only technology I know of that can accurately and effectively gather the information you need. For more details (much more detail) check out my big DLP guide.
For those of you looking at DLP or an alternate technology to help with PCI 2.0, here are some things to look for:
- A content analysis engine able to accurately detect PAN data. A good regular expression is a start, although without some additional tweaking that will probably result in a lot of false positives. Potentially a ton…
- The ability to scan a variety of storage types – file shares, document management systems, and whatever else you use.
- For large repositories, you’ll probably want a local agent rather than pure network scanning for performance reasons. It really depends on the volume of storage and the network bandwidth. Worst case, drop another NIC into the server (whatever is directly connected to the storage) and connect it via a subnet/private network to your scanning tool.
- Whatever you get, make sure it can examine common file types like Office documents. A text scanner without a file cracker can’t do this.
- Don’t forget about endpoints – if there’s any chance they touch cardholder data, you’ll probably be told to either scan a sample, or scan them all. An endpoint DLP agent is your best bet – even if you only run it occasionally.
- Few DLP solutions can scan databases. Either get one that can, or prepare yourself to manually extract to text files any database that might possibly come into scope. And pray your assessor doesn’t want them all checked.
- Good reporting – to save you time during the assessment process.
DLP offers a lot more, but if all you care about is handling the PCI scope requirement, these are the core pieces and features you’ll need. Another option is to look at a service, which might be something SaaS based, or a consultant with DLP on a laptop. I’m pretty sure there won’t be any shortage of people willing to come in and help you with your PCI problems… for a price.
Reader interactions
One Reply to “What You Need to Know about DLP for PCI 2.0”
When I first talked to some vendors about DLP, I was a bit surprised at how “DLP” is a combination of two things: finding data and blocking data.
I was mainly surprised that these companies and even others didn’t have a market already created for that first part: finding data. It’s dirty and unexciting, but important! (Kinda like old school file server searches for *.mp3 or *.avi/mov/mpg or *.pst to find people putting non-biz files on servers; or for attackers, finding uncompiled code and password files.)
Now PCI has picked up on that valuable effort. Strangely, I don’t think it validates the full DLP technology, just that first part about finding it.