0

To implement a PCI DSS compliant solution you must satisfy 3.4 requirement: "Render PAN unreadable anywhere it is stored (including on portable digital media, backup media, and in logs) by using any of the following approaches:" PCIDSS

I thought it was meant to prevent data breaches that could happen through several attacks such as a blind SQL injection using SQL MAP or in case of other software vulnerabilities, or physical data theft of the disk. However, I saw it's possible to use disk encryption from the OS, so I have two concrete questions that are closely related:

  • The intention is that only protects against leaking data in case physical data theft?
  • It looks like "store" means persist it on disk. So, if you have an in memory database, you would comply 3.4 by default? or if you use a RAM DISK to store the file with the sensitive data? In that case when the computer is turned off data would disappear and the attacker would get nothing.

NOTE: This doesn't make total sense to me, but I am sincerely confused and I would like to understand how to implement something correctly according to the standard but that it also makes sense from a security point of view.

Sfp
  • 539
  • 4
  • 15
  • Iā€™m voting to close this question because Stack Overflow is only for questions about _writing code_. This might be better suited for [security.se]. ā€“ Charles Duffy Oct 10 '21 at 01:53
  • That's true, I apologize, I will move it to that, I saw these tags "pci-compliance pci-dss" and I got confused. Now that I think about it those tags should be removed. ā€“ Sfp Oct 10 '21 at 17:56

1 Answers1

0

I am not a QSA, but my understanding of this is that the PAN should be either unretrievable (hashing, truncation, or index tokens) or only accessible via an authorized method (encryption). This is guarding against both theft of the actual storage media as well as unauthorized access from a user of the system.

The easiest way to meet this requirement is to just not store PAN data at all. If you don't have it, you don't need to protect it. Storing part of it or an identifier that can be linked to it (the first three methods) is acceptable (as long as you don't combine hashing and truncation), since you still don't have the actual PAN. But if you must have long-term access to it to do whatever your application or company does, then it should only be in the clear when it's being actively worked with, and encrypted at all other times.

For example, full disk encryption is valid, but (as per 3.4.1) it must use different keys than those automatically used by the operating system. If a user can just log in and go browse to that drive and have the OS helpfully decrypt all the card data as its accessed, that's noncompliant. There has to be a separate key (with its own security) that needs to be provided in order to get to the PANs.

Likewise, if your PANs are in memory, and software running on the computer can read that memory and see the PANs, then you're not meeting the requirement. Even if the OS is supposed to protect the memory from cross-process reading, Spectre, Meltdown and other vulnerabilities mean that it's still accessible.

Bobson
  • 13,498
  • 5
  • 55
  • 80