In a separate post, we discussed Common Misconceptions around the Payment Card Industry Data Security Standard (PCI DSS). Building off those thoughts, this post will discuss an often-overlooked consideration when navigating the PCI DSS – disaster recovery (DR) and backups.
West Monroe Partners has extensive experience conducting security due diligences for M&A transactions and helping companies develop security strategies. As a result, we are familiar with the more prevalent PCI DSS missteps. One of these oversights is neglecting to consider DR and backup systems and environments when shaping an organization’s PCI DSS compliance posture. While these organizations may succeed in implementing PCI DSS requirements to protect cardholder data within their production environments, they often neglect to do the same for DR and backups.
To avoid this pitfall around DR and/or backup systems that store, process, or transmit cardholder data and reduce related risks, we’d recommend thinking through the following:
Minimize cardholder data in backups
If an organization has no business need for backing up cardholder data, then it shouldn’t be doing it in the first place. Backup processes should be evaluated to validate that loss of cardholder data could impact the business, as those backups would be considered part of an organization’s cardholder data environment. A larger cardholder data environment increases an organization’s security and compliance risks and should be avoided to the extent possible.
In the case that there is a justified business purpose for storing cardholder data within backups, any backed up cardholder data must be protected in accordance with the PCI DSS. These protections can include, but are not limited to, encrypting cardholder data stored within the backup assets, just as you would in production, and restricting access to the backups themselves (both physically and electronically).
In addition, specific retention periods for cardholder data within backups need to be defined and established according to business needs. Periodic purging processes should subsequently be implemented to securely remove cardholder data once retention requirements have been meet. This approach minimizes the cardholder data footprint and associated risks on an ongoing basis.
Make disaster recovery PCI DSS-compliant too
DR environments that store, process, or transmit cardholder data, or are connected to production systems that do, must also meet PCI DSS requirements as they are within scope of an organization’s cardholder data environment. Accordingly, all PCI DSS-required controls, such as log monitoring and management, intrusion detection/protection systems (IDS/IPS), and policies and procedures, that are needed to establish PCI DSS-compliant production environments must also be in place for the DR environment. Lacking security controls required by the PCI DSS for DR environments within scope of the cardholder data environment increases the likelihood of a data breach.
The PCI DSS applies to any system or environment that stores, processes, or transmits cardholder data. Backups and DR are included within the scope of PCI DSS if they interact with cardholder data. Ultimately, companies accepting cardholder data need to make sure that their PCI DSS compliance posture encompasses all relevant areas within their organization. Failure to implement PCI DSS-required controls may subject an organization to industry fines and increase required remediation costs in the event of a data breach that leads to a loss of cardholder data.
In a parallel blog series, we discuss how we helped a client migrate their customer-facing software as a service application to Microsoft Azure. For information specific to that endeavor’s backup strategy, please refer to our post Backing Up To the Cloud From the Cloud.