PCI Compliant Storage for Sensitive Files

Jon Jaques
Jon Jaques used Ask the Experts™
on
A customer of mine has failed a PCI scan, mainly due to files stored on two bookkeeping computers, which contain sensitive data, like SSNs for employees, tax returns, and a small number of credit card numbers... Some of it is easy, old mailboxes, old emails, duplicate files, that can just be deleted.

Some of that data will need to be kept, though, possibly for long-term storage, but in a way that is PCI Compliant.

The credit card numbers are most likely internal, not customers - the business mainly transacts with their customers via checks, which are electronically deposited and then shredded when the accounts are reconciled.

What is the best/correct method to recommend to them for storing and accessing this data going forward that is both compliant and usable by not-very-technical bookkeeping staff?

They are a network of 10 total active users all running Windows 10 Pro, and joined to Active Directory via Windows Small Business Server 2011, and do have shared file access on the servers. For compliance, I'm thinking it would be best to have this data on the server, where it is assuredly backed up, and permissions are stricter, but does that create a more centralized potential point of failure?

Your advice and recommendations are appreciated!
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Distinguished Expert 2018

Commented:
First question right off the bat is why they are storing CC numbers. That's going to be one of the huge red flags right off the bat. Second question is why files with sensitive information aren't encrypted.

How exactly are is your customer processing customer's credit cards at this point? What devices are they using and what are they connected to?
Sr. Network Engineer
Commented:
PCI is going to require that you provide the following safe guards to the PII and other sensitive information:

1.  RBAC to data.  In short, all access is to be access controlled with audit and logging (view/add/change/delete) and rolls policy defined, change controlled and audited at least annually
2.  Data encryption at rest.  In other words, the disks that the data resides on must be secured against removal and re-integration retrieval on transfer device.
3.  Data storage audit.  In other words, any data that is not necessary to be stored should be deleted
4.  Backup - any data that is backed up (backup is not necessarily a requirement) must be encrypted on media as well
5.  Secure storage of removable media
6.  Secure destruction of storage and media

The scope of their solution is going to be dictated by budget and the risk they are willing to take on from a trust/audit/certification perspective.  As a minimum, I would suggest encrypted network storage (not on their server - think NAS or SAN) with a backup mechanism that is capable of encrypting media.
Jon JaquesInformation Technologist

Author

Commented:
The customers' business is kind of old-school... The owner is 94 now, and doesn't take to drastic changes too well. That said, they have a wonderful, productive, and stable staff and business with little to no turnover, and they process millions of dollars worth of business per year.

Knowing them, I'd guess the  CC numbers are their own internal numbers, probably stored in a spreadsheet (sigh) because they're needed on a semi-regular basis. Same for the SSNs and tax returns, the bookkeeper has that data stored on her computer.

The rare occasion when they take a customer CC, they run it through a virtual terminal, and no data other than amounts is saved.

They currently have no encrypted volumes at all. I will definitely look into an encrypted NAS or SAN, thank you for the recommendation.

The server does have auditing turned on, but we have no policy for officially reviewing or reporting on it.

Off of the report, I know the owner has an unencrypted portable hard drive with QuickBooks backups on it (and who knows what else). What can I recommend about that? They would be password protected, but that's crack-able.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Philip ElderTechnical Architect - HA/Compute/Storage

Commented:
Drop the CCs into KeePass and secure that with a good password. That takes care of that.

What exactly was the failure description for the PCI scan?
atlas_shudderedSr. Network Engineer

Commented:
Okay.  Have a look at this document.  It is going to give you some more meat for the research and decision process.  It will also give you and independent point of verification when discussing with your client:

https://www.pcisecuritystandards.org/pdfs/pci_fs_data_storage.pdf

Then check this link if you need the hard drive capacity:

https://datalocker.com/product/ironkey-h100/

This link if USB will suffice:

http://www.ironkey.com/en-US/encrypted-storage-drives/
Jon JaquesInformation Technologist

Author

Commented:
I have a question about encrypted network storage...

It seems to me that the only way it could fully protect from viral intrusion would be to always authenticate with a password on every access, which would be a pain, and the users wouldn't want to use it.

My inclination would be to have authentication integrated with Active Directory, but wouldn't that allow a virus to run in the context of the user, and be able to access sensitive data that that user has access to?

The PCI scan should then also have access to that data, and therefore also report it as a risk.

Or, would the scan report it as found, but OK, because it is stored correctly?
Philip ElderTechnical Architect - HA/Compute/Storage

Commented:
There must be no ANONYMOUS set to READ or WRITE on the data being stored on the server. All users must authenticate to reach the data.

The backup method should be configured in such a way as to protect the backup data from an encryption event. The way we do it:
Protecting a Backup Repository from Malware and Ransomware

There should be no PCI fail for authenticating to access data and then having access to that data on-the-fly as the user is working throughout the day.
Jon JaquesInformation Technologist

Author

Commented:
Thank you everybody for your input! The customers network has been almost all cleaned up, and while we still have a few things to work out for on the storage end, they don't have nearly the mess lying around they did before, and are more aware of the potential pitfalls associated with critical data!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial