What are the most commonly accepted database security controls used to comply with PCI DSS? I'm concerned that since there is some subjectivity involved, our assessor won't be OK with our choices.
Ask the expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
If the database in question is contained within a cardholder data environment, you must comply with each and every provision of the Payment Card Industry Data Security Standard (PCI DSS). In such a case, review the PCI DSS guidelines thoroughly and ensure that the operating environment complies with each requirement contained within the standard.
That being said, there are some common steps that can ease the burden of achieving a PCI-compliant database. First, carefully consider whether it is necessary to store sensitive cardholder information, particularly account numbers, in the database. If business practices can be modified so that this information is not stored in electronic form, the number of actions that must be taken to maintain PCI DSS compliance will be reduced dramatically. For example, many organizations are choosing to outsource portions of their credit card operations and do not retain anything other than the last four digits of credit card numbers to simplify their compliance environments.
If an organization does choose to store credit card information in its database, payment account numbers must be encrypted at all times using strong encryption and appropriate key management practices that maintain the security of this highly sensitive information. Additionally, it is never permissible to store the security code associated with a credit card or the complete contents of the magnetic strip on a credit card.
Beyond the steps required to protect credit card data, secure system administration practices must also be applied as described in PCI DSS to database servers, including implementing strong authentication, ensuring the use of encryption for nonconsole administrative access and maintaining a detailed log history for the organization's database servers. Databases must be implemented on servers dedicated to that function and placed in a network zone where they may not be directly accessed from the Internet.
Maintaining a PCI-compliant database is a complex undertaking and a responsibility that should not be assumed lightly. I strongly recommend that any organization undergoing this process carefully evaluates its business practices to determine whether the use of a database to store credit card information is absolutely necessary. If it is, engage in a methodical risk assessment and review the database security controls already in place against the PCI DSS requirements.
This was first published in October 2013