For any business that handles credit card data, penetration testing has been a requirement since…
Where’s the Primary Account Number (PAN)?
“Where’s Waldo?”, a source of entertainment and amusement for many children and adults alike over the years, is a book made up of crowd scenes where you have to find Waldo, a character with round glasses and a pom-pom on top of his head.
So what does this game have to do with PANs? Well first, let’s clarify what is meant by a PAN. A PAN (primary account number) is another name for credit card number. What we will discuss could also be applied to a company’s “Crown Jewels”– in this particular instance referring to electronic assets (such as customers’ personally identifiable information, health records, intellectual property) that are of high value to an organization and need to be protected appropriately.
Finding the PAN initially can be time and resource consuming, however once done and documented the time for subsequent discovery can be quite reduced.
There are a number of things that an organization must do when determining how best to protect an asset. In this case, because I am going to talk about protecting the PAN, which is mandated by the Payment Card Industry Data Security Standards (PCI DSS), I am not going to get into all of the steps to determine how a company will protect all of the various Crown Jewels they might have. There are many models out there to develop an Enterprise Security Architecture – one that I like is SABSA, which I will let you research on your own.
Brief explanation of PCI DSS
PCI DSS are a set of requirements that continually evolve and that are developed and published by the PCI Security Standards Council (PCI SSC). The Council was launched in 2006 and was founded by American Express, Discover Financial Services, JCB International, MasterCard, and Visa Inc. They have agreed to incorporate the PCI DSS as the technical requirements of each of their data security compliance programs.
Since the formation, the standards have evolved and the most current version as of December 2015 is Version 3.1. These requirements are the basic requirements that merchants and service providers must meet if they store, process or transmit cardholder data (PAN, customer name, expiry date and other information found on the chips/magstripes of the cards). These requirements may also apply to service providers who can affect the security of the cardholder data of their clients. For a more detailed description and documentation, go to the PCI Security Standards website where you will find documentation to answer almost any question you might have.
Finding the PAN: Defining a Methodology
Having laid the basic groundwork, let me turn to the problem most organizations have when they determine that they must meet the PCI DSS requirements – Where’s the PAN? The PAN is the defining element in determining what parts of an organization are to be considered in scope for reviewing, determining which requirements are applicable as well as determining if they are being met. The in-scope environment for this type of assessment is called the “cardholder data environment” or CDE for short. Welcome to the world of acronyms. As with trying to find Waldo, a methodology must be developed to find all the locations of the PAN. In Where’s Waldo, one strategy might be to start at the top left of the page and scan from left to right, slowly moving down inch by inch. Another might be to look to see if the distinctive color shows up. Everyone has their favorite way of doing it – there is no wrong or right way and if one way doesn’t work, then a person may employ another methodology. Just be sure to document what kind of process you are going to follow and then follow it. Change it as required, but make sure to update the documentation!
Locating the Ingress and Egress points
Discovering the location of a PAN is the same—there is no one particular right methodology. One of the more common methods that I use with clients is to determine where the PAN ingress and egress points into an organization are. This sounds easy, right? Well, generally it’s not. To determine where these are, the team, yes I said team, will have to talk with people, review the processes and the technology used by both. A team really is needed to deal with this discovery process. It doesn’t need to be a large team, but it should have some key long-term members who will bring others on board as required. And be aware – working on this will require detective work and looking for clues and anomalies, in a way, looking for Waldo.
And the Investigation Continues
- One of the 1st things I like to do is to find out who knows about the various processes regarding payment card processing. Notice I didn’t say PAN, but actual payment card processing. The PAN is only one component of a payment card and if you asked someone who was involved in the processes if they know where the PAN comes in and goes out, the majority of people will not have a clue what you are talking about. Ask them where credit cards are used and answers will be forthcoming. One of the best places to start this discovery process is in the Finance Department or one that acts as the Finance Department. They deal with the money and should be able to provide details on how the transaction amounts from a credit card get into the organization’s bank account. After discussions with them, make sure to document the outcome and have them verify what has been documented.
- Working with Business Analysts, if the organization utilizes them, is another good avenue to explore to help develop these business processes. As they are usually the people who are responsible for translating business requests and requirements into language computer people can act on, they generally have a good understanding of the various processes. They may also have documentation that will be of use in this discovery process. Make sure to also document what you found and where you found it.
- And then we come to the Information Technology (IT) people. They can be an excellent source of help to find where the PANs are. Most of the IT people I work with aren’t all that familiar with the business processes related to payment card processing, but they sure do understand how those bits and bytes get moved around, are stored, who has access to them, etc. As the majority of the requirements in the PCI DSS are related to technology, these are the folks that will provide a lot of input into determining whether requirements are being met or not. You want to be nice to them – they are invaluable in this process and can help with the needed detective work. Bringing in some of their favorite pastries and fresh coffee from their favorite coffee place has helped move things along in my experience. There is a stereotype out there that IT people live on Red Bull and other energy drinks, but believe it or not, IT people are just like everyone else – they just get to live with more acronyms than everyone else. Now, being a geek who has been around for a while, I can tell you that generally if you ask an IT person for documentation, there are downcast eyes, foot shuffling and some murmuring that is extremely hard to understand. However once translated, it usually means: “There isn’t anything right now. I meant to do it. It’s on my to-do list”. So it will be up to the person doing the discovery to make sure they document what they’ve found and also the location it was found in.
So this is great! You’ve discovered where the card data is coming in: swipe machines, eCommerce sites, and call centers, as well as where it is leaving the organization. Now what?
Well, one of the requirements is that there should be a network diagram of the CDE as well as a diagram showing the process flow in that network. By having these developed, the scope becomes more refined. By refining it, it will become clear which people, processes, and technology need to be assessed. Notice that I mentioned processes – you are probably thinking that I made a typo, however, I did not. There may be other processes in the organization that may not directly deal with the cardholder data, however, they might affect the security of the data. A real-life example is that of someone in the accounting area who is in charge of ensuring that recurring payments are dealt with accordingly. They weren’t comfortable using the main application to access the card info and weren’t able to get the necessary reports they required, so they cut and pasted relevant cardholder records into an Excel spreadsheet and saved it on a local shared drive. And they named it “Credit Card Information for Recurring Payments”. See anything wrong with this scenario? All of a sudden the network drive being used came into scope for the PCI DSS as did all other people and workstations that could access the shared drive.
Some of the locations for this information will be quite apparent from the development and refining of the network diagrams and associated process flow diagrams. Technology such as data scanners can be used to help locate potential caches of card numbers. Others will be a result of detective work. I do like technology, but sometimes having the old-fashioned 3D, in-person meetings can yield much better results. Listening to people describe how they access and use cardholder data can lead to clues on other undocumented, unofficial processes that have developed over time and haven’t changed because “that’s the way we’ve always done it”.
So this has gone on a little longer than I expected, and has only scratched the surface on looking for Waldo… er I mean the PAN, however, it is a good starting point and can be used to help get the process underway.
Remember, you may be looking for the proverbial needle in the haystack and you should have a structured approach for this discovery. I’ve seen a number of cases where the methods of discovery started at the technical level and worked their way out to the processes. I’ve also seen the opposite where the processes are discovered first and then worked down to the technical level. How it works and progresses for you will depend on the level of knowledge of those driving the discovery process.
So after reading this and going out and looking for the PAN in your environment, which is easier – looking for Waldo or looking for the PAN?