CDE Scoping and Future Data Compliance Requirements: Why Data Discovery Is Crucial to PCI DSS

Last month I shared a post about prioritizing data security in the uncertain future that is 2022, whether that uncertainty pertains to existing or net new privacy laws, expansions of security controls, or other regulatory factors. One thing is for certain, this year brings with it a lot of potential for growth, and with growth often comes surprise.

In speaking with peers across the privacy and security spaces, rumor has it that defining the card data environment (CDE) scope and CDE boundary protection may become extremely key elements to the PCI world as we know it with the release of PCI DSS 4.0. And while PCI DSS 4.0 won’t be enforced for a while and has yet to even be published, changes like this and some of the other key elements that could find their way into the new regulations make it wise to think about these things now.

Defining—and Refining—the Environment

Any systems that store, process, or transmit cardholder data or sensitive authentication data automatically become part of the CDE. Which means it’s vital to know exactly where all your cardholder data resides in order to achieve and/or maintain PCI DSS compliance. Data discovery can define the scope of your CDE, and keeping tabs on where cardholder data resides can keep the scope of your CDE from expanding too wide.

Many suspect that PCI DSS 4.0 will include a requirement to leverage data discovery to define the CDE scope. But even before 4.0 is live, protecting the CDE boundary to prevent scope creep is still extremely important to ensure the PCI assessment cost and timeline don’t explode.

Finding the Right Discovery Solution

Setting up a data discovery solution isn’t a simple flip of a switch, and anyone who tells you otherwise has either never worked in the space or is trying to hide something. Technologies with the capabilities required to meet such task come with a lot of complexities. Think about how many different system types your organization has: SQL, Oracle, Redshift, Google BigQuery, MongoDB, OneDrive, Snowflake, ADLS, NFS, SharePoint on-premises or in the cloud, or one of the other million possibilities. Setting up discovery that connects to all of these is possible, but doing it right requires time and attention.

Fortunately, discovery solution providers like PKWARE have done the groundwork to make numerous connections possible, enabling methods to reduce the overall false positives. They’ve also incorporated artificial intelligence (AI) and machine learning (ML) where it makes sense to ensure the best possible outcome during discovery. All of this supports the next step, which is protection such as masking or encryption.

Questions You Should Be Asking

Below we’ve gathered some of the key elements and questions you should be looking for and asking about while doing your market research for the right discovery solution for your PCI DSS needs:

1. Maturity of the organization: How long have they been in business and do they have existing reputable customers willing to give references?
2. Beyond discovery: What else do they provide that works in conjunction with data discovery? Masking? Encryption? Alerting? Data Investigation for Internal Audit or DSAR? What integrations are there?
3. Maturity of the data discovery: Does it leverage AI/ML where it makes sense for data points such as names, street addresses, or other items that may not fit a standard pattern? Does it incorporate contextual data into discovery for finding descriptions like SSN, Social, CC, Card, Credit, Bank, Emp, or EmployeeID near a number to add to the accuracy? Does it support text-to-speech for cases such as call centers taking down credit card numbers? How customizable is it? Can you adjust how much to scan, when to scan, and address false positives to make the scans more accurate over time?
4. Architecture design: What’s the architecture look like? Given you’re likely putting this solution into a CDE environment, has the vendor considered the challenges of PCI and can they abide by the controls?
5. Particular focus: Is the vendor aware of PCI themselves or is their solution more geared toward privacy?

Proper vetting as well as a thorough proof of concept is crucial to the selection of the platform/vendor that will be best for your organization or use case. Trying to rush these decisions is never good, and trying to set one up overnight will only lead to further aggravation.

So take your time, do proper research. Find not just a tool but a partner who will work with your team to make sure the solution meets your objectives and sets you up not just for the PCI DSS challenges today, but the compliance and privacy changes that may come tomorrow.

More than 90 percent of the organizations that use PKWARE solutions for PCI DSS compliance have been able to maintain their compliance for 5 – 10 years. See how PK Protect’s automated discovery and remediation solutions can help you achieve and maintain compliance with a free personalized demo.