Where Does Cardholder Data Flow?

By | January 5, 2017

Cardholder data flows everywhere. It goes through applications, systems, and network infrastructure devices. An inventory showing systems that store, process, or transmit cardholder data is a valuable tool when scoping an assessment.

  • An inventory of all systems that store, process, and/or transmit cardholder data must be maintained
  • The inventory may be in any usable format
  • Suggestion: Information to be maintained in the inventory could include:
    • System name
    • Cardholder data stored (list fields)
    • Reason for storage
    • Retention period
    • Protection mechanism
      • Including methods for protecting stored PANs per PCI DSS 3.4 (e.g. hashing, encryption, truncation)

Leave a Reply

Your email address will not be published. Required fields are marked *