We help IT Professionals succeed at work.

Storing card holders data on the local network with PCI DDS compliance

Tom Skowyrski
Tom Skowyrski asked

One of my customers was going through the PCI DDS compliance recently and discovered that the cloud service they are using for CRM is not secure enough to store the cardholders data for taking payments at the later stage. He told me that they decided to keep that data on their local server (probably in Word or Excel document). I advised not to do that so he asked what if we used the password managers like Keepass to do that. While it is better that plain Word or Excel document, I believe that it is not the way to do it. They do not have online store but I was wondering that if they set up one and make it private so only employees can access it then it would be more secure?
Do you know what is the best way to do it? They do not want to store the PIN numbers and will call up for that.
I would prefer something in the cloud which has been designed for something like that because my customer is small business and doesn't have budget to get all the security appliances required to be quite secure.

Can you advise please?


Watch Question

Exec Consultant
Distinguished Expert 2018
Key is to safeguard the personal info and credit card info and to verify that no cardholder data exists outside of the currently defined cardholder data environment (CDE). ensure the CDE boundary is clearly defined so that the controls are in place appropriately - protect data and data's environment as form of risk assessment.

password is single factor and the weakest means to safeguard the CD in its digital form. assess the exposure of the local server which the CD is residing and the CDE segment crafted out for it to ensure unauthorised access and abuse are mitigated and prevented. Just a simple knowing of password or leak can open up the "encryption" and not to say brute force  attempt, the segmentation is to make it difficult but not impossible. Assume worst case, network and physical access are breached esp for insider, the password is last defence and is too weak. Assess if the wallet can be removed and be multifactor authentication prior to access, and use a stronger password beyond 16 char (alpha numeric and increased complexity with non-alpha numeric and symbols too, random) or keyfile instead of password. Key is not rely on ZIP password protected, that can be brute force w/o account lockout enforcement. All password must not be in plain and need to be in one-way hashed. See "PCI Data Storage Do’s and Don’ts"

in short -
-Protect any keys used for encryption of cardholder data from disclosure and misuse.
-Encrypt transmission of cardholder data across open, public networks

As for cloud in term of PCI-DSS, you will still need to consider (and more) such as below main principles
- Don’t store, process or transmit payment card data in the cloud. This is the most effective way to keep a cloud environment out of scope, as PCI DSS controls are not required if there is no payment card data to protect.
- Minimize reliance on third-party CSPs for protecting payment card data. The more security controls the CSP is responsible for, the greater the scope of the CDE will potentially be, thereby increasing the complexity involved in defining and maintaining CDE boundaries.

So say if for
- Private-cloud deployment: an organization could either implement adequate segmentation to isolate in-scope systems from other systems and services, or they could consider their private cloud to be wholly in scope for PCI DSS.
- Public cloud, the client organization and CSP will need to work closely together to define and verify scope boundaries, as both parties will have systems and services in scope.

Overall if clear-text account data is present (for example, in memory) in the cloud environment, or the ability to retrieve account data exists (for example, if decryption keys and encrypted data are present), all applicable PCI DSS requirements would apply to that environment.

The above reference is also mainly to align with guidelines in this useful paper for scoping in context of the risk exposure

For info, Google  Cloud Platform is now PCI Data Security Standard Certified. It will be better to engage those compliant to better advise later your client...