Tales from the PCI Crypt: Life outside the PCI Audit Zone
My friend Billy Austin is a co-founder of a new company called iScan Online. They perform scans on endpoints of all types in what they call an opportunistic basis. You can read all about them on their website and standby for some big news coming out from Billy, Carl Banzhof and team.
iScan Online is really great for the new PCI internal scanning requirements (11.2 of the DSS). But Billy made a great point in a recent blog post he wrote. Billy noted that by doing a data scan for PAN (personal account numbers) in an ungodly amount of instances they turned up credit card data in merchants email. The typical scenario was a sales person (remote usually) or order taker who takes an order over the phone or in person and then “writes it up” for the processing department. They send the order over via email (usually not encrypted) and of course a copy of the sent mail is stored on the senders machine. Yikes!
Billy makes an excellent point. The person who receives this mail in most instances will enter the order into a PCI compliant terminal and network. They will probably even delete the email with the card data when they are done. For all intents are purposes they are PCI compliant. But what about that sales guy or gal who “lives outside the PCI Audit Zone”?
Those folks are usually not scanned or subject to the higher PCI standards because on the surface they are isolated from the card processing infrastructure that a QSA looks at or that we normally think of in terms of PCI.
As Billy also points out, too many of us in the PCI world shrug our shoulders and give you the “sorry, outside the scope” face. Billy calls BS on this and so do I. It is BS. This is card data that is being floated around in regular email and is being stored on usually non-encrypted, mobile devices which could be easily lost or stolen.
If we are going to truly give a rats you know what about doing something about credit card data being stolen we need to be thinking about life outside the PCI Audit Zone. We need to be thinking about who in an organization comes into contact with card data. If they do, we need to make sure they are following PCI standards as well.
It makes no sense guarding just the castle, when the valuables can be reached from an outhouse. We need to think about life outside the Audit Zone.
Good job Billy bringing this blind spot to our attention for another tale from the PCI Crypt.