10 Steps to Document PCI Cardholder Data Environment CDE

2. Action Items
• Document how your organization stores,
processes or transmits credit card information
• Determine your merchant level
• Determine your validation requirements
– Contact your merchant banks and acquirers
• Determine your SAQ validation type
• Find an ASV for compliance network
vulnerability scans
– Perform at least quarterly scans
• Annually fill out your SAQ
– turn in and/or keep on file

3. 10 Steps to Document
Cardholder Environment
1. Determine Merchant Level (number of
transactions)
2. List all Merchant Banks and Acquirers
3. List all outsourced processors, ASPs and third party
processors
4. Document all Payment Applications
5. Document all PEDs used (Point of Interaction)
6. List all physical locations that CHD is processed,
stored or transmitted
7. List all electronic storage of CHD
8. Document electronic transmission
9. Document policies that address PCI requirements
10. Implement applicable PCI DSS controls

4. Step 1: Determine Merchant Level
• List the number of all credit card
transactions for all Merchant Banks and
Acquirers
• List by card brand as well
• Determine your merchant level based on
total annual credit card transactions
• Number is based on the aggregate
number of transactions for a DBA
Note: Merchant levels are defined by the Card Brands and determined
by the Acquirer based on transaction volume.

5. Step 2: Document Acquirers
• List all Acquirers, Merchant Banks and/or
Acquiring Banks
• Included card brands when they act as
acquirer, e.g. Amex, Discover, JCB
• Would never be Visa or MasterCard
• They determine your merchant level and
reporting requirements

6. Step 2: Document Acquirers
• Contact Information
– Address
– Phone Number
• Incident Response Team
• Website
– Monitor for changes in requirements
• Any notes or document conversations
you have with them

7. Step 3: Determine Service
Providers
• A Service Provider is an business or
entity that is directly involved in the
processing, storage, transmission, and
switching of transaction data and/or
card holder data (CHD)
• Any service provider that has control or
could have a security impact on CHD

8. Example of Service Providers
• Transaction Processors
• Customer Service
• Call Centers
• Payment Gateways
• Credit Reporting
• External Sales
• Remittance Processing
• Card Embossing
Companies
• Information security
providers
• Offsite Data Storage
Providers

9. Manage Service Providers
• Maintain a list of service providers
• Maintain agreements that hold service
providers responsible for security of CHD
– Include reporting and breach notification
• Have a process to validate new service
providers before they become service
providers
• Have a program to monitor service
provider compliance at least annually

10. Step 4: Document
Payment Applications
• List all payment applications
• Document the business use of the
applications
• Determine if the application is compliant
• Determine if the application stores CHD
• Check PCI website for list of approved
applications

11. Action Items
• Contact the vendor, make sure payment
applications are PA DSS complaint or will
be.
• Contact your PIN device supplier, make
sure you have compliant PIN Entry
Devices.
https://www.pcisecuritystandards.org/security_standards/ped/pedapprovallist.ht
ml
https://www.pcisecuritystandards.org/security_standards/vpa/

12. Payment Applications
• In house
applications
– SDLC controls
– Code reviews
– Application
firewalls
– OWASP

13. Step 5: Document PED
• List all Points of Interaction (POI)
– List all PIN Entry Devices (PED)
– List all Point of Interaction devices
– List all Unattended Payment Terminals
(UPT)
– List all Point of Sale (POS) devices
• Document compliance for those devices
currently required to be PCI compliant

15. PED
• PIN Entry Device
– Scope of the standard increasing
• PIN Transaction Security (PTS)
– Will include
• UPT (Unattended Payment Terminals)
• POI (Point of Interaction)
• POS (Point of Sale Devices)
– Standard addresses the vendors who make
devices
– Merchants must use approved devices

16. Step 6: Physical CHD
• List all physical locations that PAN is processed,
stored or transmitted
– Paper,
– Receipts,
– Imprints,
– Carbon Copies
– Locations of backup media
• Document Retention Period
– Justify with business need
• Document Destruction Policy

17. Step 7: Electronic Data Storage
• List all electronic storage of CHD
• Document business reason for storing
and retention period
• Requirements in PCI DSS
– Encryption
– Access Controls and Audit logs
– Never permitted to store full track data

18. Cardholder Data
Data Element Storage
Permitted
Protection
Required
PCI DSS 3.4
Cardholder
Data
Primary Account
Number (PAN)
Yes Yes Yes
Cardholder Name Yes Yes No
Service Code Yes Yes No
Expiration Date Yes Yes No
Sensitive
Authentication
Data
Full Magnetic
Stripe Data
No N/A N/A
CVC2 / CVV2 / CID /
CAV2
No N/A N/A
PIN / PIN Block No N/A N/A

19. Places to look for CHD
• Electronic Image Files
• SANS
• Fax Servers
• Scan Archive
• Pinter Spool
• Laser Fiche
• Log Files
• Audio Recording:
customer service call
recordings
• Voicemail
• Email Server/Archive
• Backup Media
• Copier Scanner Cache
• Data bases
Perform a search for CHD every 6 months

20. Unknown Storage
• Fax Machine and Copy Machines may
store CHD
http://www.youtube.com/watch?v=iC38D5am7go

21. Step 8: Document Data
Transmission
• Not only do you need to know where you
data is stored but you also need to know
where it travels
• Create a Data Flow diagram
– Diagram with CHD flow superimposed over
network diagram
• Evaluate flow every 6 months or more
often if there has been a change
• Helps to determine the PCI scope and aids
in determining network segmentation

22. Document Data Flow
• With a network diagram document the
flow of credit card information
(transmission)
• Locate any places the information might
be stored along the data path (storage)

23. Step 9: Create Needed Policies
• What policies do you currently have that
address PCI related issues
• Create needed policies
• See section 12 of the PCI DSS
• You will need to create additional
subordinate policies, procedures or
administrative directives for specific PCI
control requirements
• Every PCI DSS control should be
documented in some policy, procedure,
administrative directive, SOP or schedule

24. Step 10: Document PCI DSS

25. PCI DSS
 The Payment Card Industry Data Security
Standard
 6 Objectives (Goals)
 12 Sections (Requirements)
 194 Controls

26. PCI DSS

27. PII Policy
• If you already have a policy for handling
confidential information or personally
identifiable information add credit card
information to confidential information
or PII.

28. PCI DSS
• Start implementing the data security
standard starting with policies
• Start with high level polices
– “The City shall not store PAN (Credit Card
Numbers) electronically or physically.
Employees shall be trained on PCI standard
annually. Background checks will be
performed on all staff with access to credit
card information.”

29. PCI DSS
• Use the prioritized approach to
implement the most important controls
first.

30. Document Compliance
• Determine if all PEDs are PCI compliant
• Determine if all payment applications are
PCI compliant
• Determine if all 3rd party processors and 3rd
parties are PCI compliant
• Obtain documentation from each
• Annually renew documentation from 3rd
parties
• Annually check payment application and
PED list