Watch those Vendor Application Change Release Notes like a Hawk!

At a client site recently I was watching a customer service rep as she performed her duties during a PCI DSS interview, and noticed that when she went to add a new payment method, a whole list of saved card numbers (redacted) showed up in the PAN field.

A little bit more digging showed that Chrome had “helpfully” saved every card she’d entered for several weeks, with the Name and Expiration date (no CVV).
We discovered the setting to save payment methods within Chrome had inadvertently been set after Chrome had asked on some past occasion whether it should save them.
The agent had to remove all the cards from the local Chrome store individually, then set the save set to No.
The IT department found a way to set all agents' Chrome instances to No and we moved on.
It was missed in the monthly PAN scans, presumably because Chrome had set some encryption on the card number; however, it was shown in full in the clear when any saved card was queried in depth.
Only the agent had access to those card numbers, and only after logging in under her own userID. Chrome itself reported that the storage of any card would be local only and not synced across instances.
However, at some stage, that feature was made available by the vendor (Google) and missed by the Compliance or IT teams, and no central policy was available to accommodate it until after we had discovered it.
I strongly encourage you to review any new features, try them both in the on and off states, and decide whether they could cause you any PCI DSS compliance grief.


To read more about PCI DSS you can enjoy the rest of our topic related blogs here!

Contact Us
Chat with our team about your PCI DSS compliance program.
Schedule a call
Contact Us