We have a validated PABP application and have concerns as it relates to backups of the sensitive data contained in the encrypted Card Holder Data (CHD) database. Our validated application currently controls the backup and key management of its database to the same Encrypted File System (EFS) folder on the same server containing the active CHD database. Our concern is that, in the event of a catastrophic event such as a drive or OS failure occurs and the drive containing the mission critical data is unrecoverable, now what?

Our question is, what are other vendors doing to protect against catastrophic lose of data in a PABP/PCI environment? Is this purely a merchants ‘PCI’ responsibility or one that a software vendor must ultimately control and document in its ‘PABP Implementation Guide’?

Guidance based on current requirements and experience is gratefully appreciated. :confused:

We have a validated PABP application and have concerns as it relates to backups of the sensitive data contained in the encrypted Card Holder Data (CHD) database. Our validated application currently controls the backup and key management of its database to the same Encrypted File System (EFS) folder on the same server containing the active CHD database. Our concern is that, in the event of a catastrophic event such as a drive or OS failure occurs and the drive containing the mission critical data is unrecoverable, now what?

Under PCI DSS requirement 3.6.4, you are required to change encryption keys annually. In addition, requirement 3.4.1.b requires that the encryption key is not stored on the local system. Based on your description, you are not in compliance with either of these requirements. Granted, you can work on compensating controls for each of these, but I would think that would be an exercise in futility as it's likely easier and cheaper to just comply with these requirements.

Don't be shocked by this. We are finding that a number of PABP compliant applications have PCI DSS implementation issues. It seems that software vendors have not gotten the message that PABP compliance does not mean PCI DSS compliance and visa versa.

Our question is, what are other vendors doing to protect against catastrophic lose of data in a PABP/PCI environment? Is this purely a merchants ‘PCI’ responsibility or one that a software vendor must ultimately control and document in its ‘PABP Implementation Guide’?

Key management needs to be put into your sphere of control. As such, it is your responsibility to properly protect and control the keys which would mean that in the event of a disaster, you would have the ability to recover your data.

The validaiton application is managing the storage encryption, yet not addressing key storage or backups in PIC complaint manner.

Somehow, this smells like the Implemention Guide (or Implementation Documentation) not addressing these requirements/issues, which makes me question the PABP certification - it may actually may not have met the documentation requirements, and thus isn't really certified imho.

lyalc

Under PCI DSS requirement 3.6.4, you are required to change encryption keys annually. In addition, requirement 3.4.1.b requires that the encryption key is not stored on the local system.

Sorry if I was not clear in my original post; but we are indeed compliant with 3.6.4 and 3.4.1.b and this is documented in the 'Implementation Guide'.