day 162 Karate Kick, by Hoggheff

day 162 Karate Kick, by Hoggheff

OK, so as you can see from the comments, my post yesterday generated a bit of controversy. I must apologize for the 1.3.3 miss as I did my initial research after a long night of, um, networking at the PCI Community Meeting in Orlando. That post was put together with haste over the last three days, while trying to review and decipher some passionately scrawled chicken scratch. I went back and responded to the comments (no editing, it’s all there), and wanted to talk about another significant change I didn’t discuss yesterday.

Page 10 of PCI DSS 2.0 adds quite a bit of text into the Scoping guidance that QSAs and assessees use to determine the correct scope for their assessment.  The first paragraph is largely the same but now includes many references to virtualization. But right below that is a grouping of text that should have every DLP vendor salivating.

At least annually and prior to the annual assessment, the assessed entity should confirm the accuracy of their PCI DSS scope by identifying all locations and flows of cardholder data and ensuring they are included in the PCI DSS scope. To confirm the accuracy and appropriateness of PCI DSS scope, perform the following:

  • The assessed entity identifies and documents the existence of all cardholder data in their environment, to verify that no cardholder data exists outside of the currently defined cardholder data environment (CDE).
  • [sic]
  • The entity retains documentation that shows how PCI DSS scope was confirmed and the results, for assessor review and/or for reference during the next annual PCI SCC scope confirmation activity.

My use of bold text here is for a reason. How else do you validate scope in this manner without the use of tools to comb through your environment? If a customer told me they had people doing manual searches, I would have a huge problem with this. It’s the equivalent of a human-powered SIEM, and we all know that putting people in charge of manually reviewing thousands of log entries will not work.

The main challenge entities forced to comply with PCI will find with DLP vendors is how the software suite is built. If the discovery and reporting pieces cannot be separated from the prevention and active blocking pieces, companies will look elsewhere to get the tools they need. Vendors that provide a crisp message with a clean solution will benefit the most from this clarification in PCI DSS 2.0.

This post originally appeared on