Is Cardholder Data Discovery a Requirement in PCI DSS 4.0?

Ever since the release of PCI DSS 1.0 in 2006, organizations attempting to comply with it have asked if performing data discovery is a requirement. In each subsequent release of the PCI DSS, the words “Data Discovery” have not been specifically stated, leading to an interpretation by many that it is not. Like many things, interpretation and establishing the standard’s intent are key to complying. Often, organizations working in partnership with a Qualified Security Assessor (QSA) will be guided appropriately on this topic. However, many organizations are not required to engage with a QSA and therefore are left to interpret the standard on their own. 

We have taken a deeper dive to explore what companies can and should begin doing today to meet all versions of PCI DSS compliance, including the anticipated v4.0.

Input versus the outcome

PCI DSS applies to all organizations, regardless of size, if they accept, transmit, or store payment card data.

PCI DSS 4.0 has several changes, but the new standards are not slated to be published until the end of March 2022, and PCI DSS v3.2.1 will stay in effect for two years as a transition period. Additionally, companies will have until March 31, 2025 to adopt new requirements that are identified as best practices in v4.0.

With that being said, it is still never too early to be proactive and begin preparing for the release of v4.0. Companies that will fair the best understand that requirements will come down to comparing literal interpretation versus achieving the intent.

The problem with literal interpretation is that it leads to assumption-based scoping. As mentioned, there is no contractual obligation for businesses to conduct “data discovery,” however, any business that takes compliance seriously would have to undergo the process by default.

How to meet requirement 3 of the current PCI DSS

Requirement 3 of PCI DSS v3.2.1 tells businesses that they must protect stored cardholder data. It specifically states:

“Keep cardholder data storage to a minimum by implementing data retention and disposal policies, procedures, and processes that include at least the following for all cardholder data (CHD) storage:

• Limiting data storage amount and retention time to that which is required for legal, regulatory, and/or business requirements;
• Specific retention requirements for cardholder data;
• Processes for secure deletion of data when no longer needed;
• A quarterly process for identifying and securely deleting stored cardholder data that exceeds defined retention.”

There are two ways to achieve these obligations.

The first option businesses have is to manually audit their cardholder data. The second option they have is to use third-party technology to help find the evidence they need to prove that they are in compliance with PCI DSS.

The PCI SSC has been reluctant to mandate specific technologies or vendors as it famously stated Tripwire in the original standard. Immediately people assumed that investing in Tripwire technology equated to compliance, which the council subsequently retracted in a follow-up version of the standard.

The same happened when Web Application Firewalls (WAF) was added to the standard. Immediately WAF vendors saw a gold rush of new clients.

Prepare for PCI DSS v4.0 with Ground Labs

It is time to work on achieving all versions of PCI DSS with data discovery. As with any requirement, focus on the intent of the law, not just the literal definition. By going the extra mile, your organization will be able to safely meet all compliance standards and be in a position to tackle evolving standards. Cardholder Data Discovery in particular is a necessary technology to establish without reasonable doubt that a given system does or does not meet PCI DSS v4 requirements. Ground Labs is a trusted partner to many businesses and has helped mitigate the loss of important cardholder data.

If you are ready to get ahead of PCI DSS v4, schedule a demonstration with one of our data discovery experts today!