Everything you need to know before kicking off a card scanning engagement.
Whether you’re a QSA, security partner, reseller or end-user, it’s important to have the support you need to effectively run a scanning engagement. Quasar is constantly looking to provide customers, partners and interested parties (like you, reading this blog), with information that will help you gain the best value from QuasarScan as a product. At the end of the day, the safety of the people who trust organisations with their data comes first so we want to make sure that we provide you with information to guide your approach to card scanning.
On that note, we’ve developed a step-by-step guide to Quasar card scanning that we hope you find useful. So, without further ado, here’s step one.
1. Review documentation, conduct interviews and build an initial picture of the cardholder data environment.
Your first step should always be to gain an accurate picture of your entire cardholder data environment. One practical way to do this is to review documentation such as cardholder data flows as well as key policies and procedures that govern how staff handle and process sensitive information.
In our blog on card scanning, we highlighted how under-trained customer service agents may inadvertently mix credit card data with personal data like addresses or drivers license numbers. It’s important to make sure examples like this are identified and corrected, otherwise your organisation can never say it has a clean cardholder data environment.
Once you’ve reviewed data flows, policies and procedures, it’s important to conduct targeted interviews with key staff members to verify that what you’ve observed is an accurate picture of how data flows within your environment. You’d be surprised how often this isn’t the case, which is why it’s important to bring the personal touch to your review process.
And remember – always follow the data!
2. Identify ‘high-risk’ areas where cardholder data could be stored, processed or transmitted from.
Once you’ve followed the data, you should be able to see your high risk areas where cards could be present. A high risk area could be a non-secure form on your website in which users are inadvertently entering credit card data. An example of this would be a university that asks international students to fill in their visa number in a standard free text box on its website. So many people here could get the wrong end of the stick and start filling in their visa credit card information (instead of their Immigration visa number). This in turn presents a very real security risk!
This is an extreme example but it highlights an important fact. You could be storing sensitive information in high risk areas and not even know it, which is why identification is so important.
3. Identify surrounding risk areas.
Once you’ve identified your high risk areas, you can expand your search into surrounding risk areas. While these don’t always hold a high risk of inadvertently storing card data, they may interact with card data in some way, shape or form.
Even if a scan fails to bring up any risks in these places, it’s still better to have started your search as wide as possible and then narrowed it down during the scanning process. In fact, this is standard practise for Quasar and it helps to ensure all risks and vulnerabilities are identified as early as possible.
4. Understand your assets within your identified scope.
So, you’ve identified a broad scanning scope. What is the next step? It’s important to understand exactly what to scan, which could range from servers and databases to workstations or a combination of them. Whatever you scan, it’s important to know what they are and how to connect to them.
There are multiple tools available to support the discovery process, and by the end of this step, you should have a confirmed scope and a solid understanding of the assets you’ll be scanning.
Once you understand your assets within your identified scope, you can plan your scanning.
5. Install, configure & scan.
Next, you need to install, configure and run scans across your targeting scanning scope. Organisations aren’t the same, so it doesn’t make sense to pay for a product that only works in one way. Using a flexible software such as Quasar is important here, as it’ll help to configure things in a way that works for your organisation.
That’s really all there is to say about this step – at least at a high level. While we could go into greater depth on this subject, that is better saved for its own blog post. And don’t forget, the Quasar support team is here to assist every step of the way!
6. Analyse results, seek to understand ‘root cause’ of any cardholder data evident.
Once you’ve run your scans, you’ll be able to look at your results. One of the positives about QuasarScan is that it can accurately score data based on how likely it is to be a card, which helps limit the false positive problem.
With data layed out in graded, easy-to-sort manner, you can quickly work through it and analyse huge amounts of important data. Once this has been done, you can look at where data is located and understand why it’s there, and where it came from, which is key to understanding the root cause of the cardholder data process.
A root cause could be a result of a broken or ineffective process, or it could be because you haven’t considered fully how people’s interaction points behave with the data.
So you’ve run your scans and have your results. Next up you want to take a good look at any cardholder data that has been located, and in particular gain an understanding of why it is there, and where it has come from? We call this understanding the ‘root cause’ of a cardholder data problem.
Once you understand the root cause, you can make moves to fix it.
7. Address the root cause. One that is enduring.
Now it’s targeted action time! And no, this doesn’t mean you delete any offending data, put your feet up and enjoy the rest of your day. You need to make permanent fixes that save you needing to get rid of the same problem next year.
Once you’ve scored, analysed and condensed your data you can take targeted action. You’ve already found the root cause of an issue, so you can now use the evidence you’ve gathered to show decision makers how processes or security needs to change.
Think of it like this – Quasar is not a band-aid solution. It should be used to future-proof security and mitigate the risk of your organisation by helping you to understand root cause security errors.
8. Re-scan to confirm the fix is effective.
Once you’ve made your fix, you need to re-scan the same scope to ensure all your changes have been effective. This should be the easiest step!
9. Complete regular scans to ensure there is no ‘scope creep’.
Always remember, card scanning needs to be a regular part of your security toolkit – and an essential one if you want to create a clean, documented and easily understood cardholder data environment. Once you’ve found an effective fix, the work needs to continue maintaining the now clean environment.
Put it this way, you don’t only clean your house once in its lifetime. It takes regular, weekly cleans to keep it that way and the same is true for your cardholder data.
Quarterly scans are recommended to ensure that no new cardholder data is present in scans. It’s much easier to identify risk early and resolve it before it becomes a serious problem!
Regular scans are also great for stakeholder engagement. If you keep stakeholders informed about the hard work you’re doing in this space, it can result in enthusiastic buy-in and the acknowledgement of the value that regular scans bring. And, of course, displaying an enthusiastic and proactive attitude towards compliance is never a bad thing!
Customers, too, will reward organisations that put customer security at the forefront of their operation. Doing so helps to build trust, which is essential for organisations such as charities (see this case study for an excellent example). Building trust and treating cardholder data with the respect it deserves can go a long way to helping you stand out in a competitive marketplace.
Well there you go, a step-by-step guide to Quasar card scanning! Suffice to say we could’ve written a blog post on each one of these steps, this is probably something we’ll expand on in the future. However we hope this high-level view is useful in getting set up at your organisation.
And as we’ve said a few times, Quasar and our partners are here to help every step of the way. So please do get in touch for all your card scanning needs!