Blog Post
Is Cardholder Data Discovery a Requirement in PCI DSS 4.0?
Ever since the release of PCI DSS 1.0 in 2006, organizations attempting to comply with it have asked if performing data discovery is a requirement. In each subsequent release of the PCI DSS, the words “Data Discovery” have not been specifically stated, leading to an interpretation by many that it is not – until now.
Version 4.0 of the standard explicitly requires organizations to revalidate their scope at least every 12 months. No longer is it left to interpretation to establish the standard’s intent, now scope validation is established as fundamental to complying with the standard. The most comprehensive approaches to scope validation will include the use of data discovery products like Enterprise Recon PCI. In fact, Appendix 3, the Designated Entity Supplemental Validation, mandates the use of data discovery solutions as part of the scoping effort.
Organizations working in partnership with a Qualified Security Assessor (QSA) may be guided on the need for data discovery. However, many organizations that are not required to engage with a QSA will benefit from additional understanding to interpret the updated requirements of the standard.
The Countdown to v4.0
PCI DSS applies to all organizations, regardless of size, if they accept, transmit, or store payment card data, or if they could affect the security of the data.
PCI DSS 4.0, published at the end of March 2022, has several changes. PCI DSS v3.2.1 will stay in effect for two years as a transition period. PCI DSS v.3.2.1 will be retired on March 31, 2024 after which time all entities managing payment card data will need to be assessed to v4.0 of the standard.
With that being said, it is still never too early to be proactive and begin preparing for the release of v4.0. Companies that will fare the best understand that their requirements will need to be understood as early as possible within the context of the new standard.
So, where does data discovery play a more significant role?
Data Discovery in PCI DSS 4.0
Data discovery solutions are an effective way to achieve the new scope validation requirements of PCI DSS 4.0. Regular data discovery scanning supports a number of other controls across four requirements of the updated standard.
The table below shows where you can gain a compliance advantage using periodic data discovery scanning solutions such as Enterprise Recon PCI or Card Recon.
| Requirement 1: Install and maintain network security controls | |
| 1.2.3. 1.2.4. | Data discovery scanning can be used to validate the network boundaries of the CDE, as well as demonstrating that data flows map account data accurately. |
| Requirement 3: Protect stored account data | |
| 3.2.1. 3.3.1. 3.3.2. 3.3.3. 3.4.2. | Data discovery scanning identifies any cardholder data including sensitive authentication data wherever it is stored. Periodic discovery scanning can be used to confirm that data has been deleted when it has exceeded its retention period. Organizations that store sensitive authentication data must be able to verify that it is removed following authentication, or when no longer required. |
| Requirement 6: Develop and maintain secure systems and software | |
| 6.5.2. 6.5.5. | Verifying that a significant change has not impacted scope boundaries, and that CHD is not present in non-production environments is supported by data discovery scanning. |
| Requirement 12: Support information security with organizational policies and programs | |
| 12.4.2. 12.5.1. 12.5.2. 12.5.3. 12.10.7. | Data discovery scanning can be used to confirm that operational procedures involving cardholder data are being followed so CHD remains in the CDE. As part of periodic scope revalidation and following organizational change, data discovery scanning is essential to confirm in-scope systems, network boundaries, data flows and data repositories. Advanced discovery solutions support remediation-in-place for data found in unexpected locations. |
Prepare for PCI DSS v4.0 with Ground Labs
It is time to work on enhancing your PCI DSS compliance approach with data discovery. As with any requirement, focus on the intent, not just the literal definition. By going the extra mile, your organization will be able to safely meet your compliance obligations and be able to tackle the evolving standard.
If you are ready to get ahead of PCI DSS v4, schedule a demonstration with one of our data discovery experts today!
