When it comes to handling payment cardholder data, PCI DSS has many rules about what you must and must not do when it comes to handling payment data. However the most stringent requirements apply to sensitive authentication data (SAD).
So, what exactly is SAD, cardholder data (CHD), the differences between the two, and the rules related to both?
Cardholder Data (CHD)
As defined by the PCI Security Standards Council, CHD is the data allowed to be retained after a transaction validation. A transaction is considered processed once it has been either approved or declined. CHD is limited to the cardholder's name, the payment card's expiry date, and the primary account number (PAN), which must be encrypted if retained. The key is the phrase 'after a transaction validation' Even if a transaction fails or is declined, it has been processed, and therefore the only data that can be retained is CHD, nothing else.
Sensitive Authentication Data (SAD)
The most common SAD element is the card verification code/value (i.e., CVC, CVV, CID), the three or four-digit code on the front or back of the card. When conducting a payment transaction, a point-of-sale card terminal also reads the PIN and tracks data from the magnetic tape stripe or the EMV chip.
The critical security attribute of SAD is that once a transaction is processed, SAD MUST BE securely deleted from disk, device memory, telephone recordings, physical documents - anywhere it may exist. The bottom line is that SAD cannot be retained under any circumstances once a transaction is processed.
Example - Handling SAD
A typical how-to example of handling SAD is an organization that processes mail-order transactions. A customer's order form specifies payment card information that includes the card verification value (CVV).
A merchant is obligated to securely store these forms until an authorized person processes the order and the payment. Once the payment has been processed, the card information must be securely redacted from the record.
Redaction can be accomplished in several ways. The first way is low tech and uses a black Sharpie marker, blacking out the PAN, CVV and any other sensitive information, taking a copy of the form and then securely shredding the original document. Another option is designing the form so that the payment information is on the bottom, where it can be easily torn off and shredded, leaving the rest of the form safe for filing.
The PCI Assessment Process
As part of the PCI assessment process, PCI DSS requires that an organization prove that it does not store SAD anywhere in its environment. Organizations scan systems for SAD and prove that it does not exist on out-of-scope systems.
If scanning finds SAD where it does not belong, the organization must remediate that situation before a PCI assessment can be considered compliant.
The PCI DSS requires that an organization prove that it only has CHD in its environment where it is expected to be. Such proof is often evidenced by scanning systems for CHD and proving that CHD only exists in the defined cardholder data environment (CDE). Several commercial and open-source utilities can conduct these scans, including most data loss prevention (DLP) solutions.
If scanning finds CHD where it does not belong, the organization must remediate that situation before a PCI assessment can be considered compliant.
If an organization is retaining PAN, the PAN must be encrypted, and access to the encrypted PAN restricted to only personnel with a need to know.
Do everything you can not to store SAD. If you must store CHD, you need to ensure security and restrict access to need-to-know personnel only.
CISA, CISM, CDPSE, PCI QSA
Jeff Hall is a Principal Security Consultant at Truvantis and was the founding President of the Minnesota InfraGard chapter, the public/private partnership between businesses and the US Federal Bureau of Investigation (FBI). Jeff is a skilled project manager and has delivered PCI DSS compliance projects that others thought were impossible. He is also an accomplished writer and communicator with a popular blog (pciguru.blog) and has a busy speaking engagements calendar at various conferences and symposia.
Jeff’s latest book, The Definitive Guide to PCI DSS Version 4: Documentation, Compliance, and Management written in partnership with the PCI Dream Team, is available now.
What does a PCI DSS Qualified Security Assessor (QSA) do?
“Well, you review documentation and you file it away in the right buckets under the assessment you're doing, and then you write up the requisite language around it to complete the assessment.
And you do that until you complete the assessment. Some assessments for example, take quite a while because they have to hit all, what is it, 400 and some odd tests, versus somebody only doing sections six, two, 11 and 12, because the rest of it is on some other party. For example, they're just developing stuff. They're not they're not actually running it. Their customer runs it in operation.
If you're a merchant. If you are Target Walmart, or whatever, you have an e-commerce site that you operate and that site has to be scanned at least quarterly by an ASV.
And the way that usually works, is you've got a third party, like a Qualys or Tenable somebody like that where you go into their portal and you would tell them to run a quarterly ASV scan.
Now with Qualys and Tenable however, you can schedule these scans and most people have them scheduled to run monthly. But every quarter you have to manually go in and flag that scan. You actually have to manually tick a box and say this time it's an ASV scan.
The best example I can give you is an organization doing monthly scans, who recently lost the security guy who was ticking that box and hence they forgot to tick that box twice in a year. They only had two ASV scans, not four, but they did have 12 monthly scans. In theory, they had done the quarterly scan. They just didn't have the magical certificate that says it was an ASV scan even though they used the same policy as the ASV scan. It just didn't have the box checked.” – Jeff Hall
The Truvantis Risk Radar
Please visit our YouTube video channel or listen to our podcast episodes.
“If you get fifty QSAs (Qualified Security Assessor), you'll have at least, five different opinions, all of them valid.” – Ben Rothke on the Truvantis Risk Radar show.
Truvantis is a security, privacy and compliance consulting firm providing best-in-class services to secure your organization's infrastructure, data, operations and products.
At Truvantis, we've built security and privacy programs for organizations, large and small. We specialize in helping our clients improve their business resilience and manage their business risk by implementing testing, auditing and operating information security programs.
Our world-class services include security testing and a wide range of flexible compliance and vCISO programs. Truvantis is also an authorized PCI DSS Qualified Security Assessor (QSA) Company.
- The Definitive Guide to PCI DSS Version 4’ by Arthur B. Cooper, Jeff Hall, David Mundhenk, Ben Rothke, https://link.springer.com/book/10.1007/978-1-4842-9288-4
- The Truvantis Risk Radar show