Automated Discovery of Credit Card Data Flow for PCI DSS Compliance

Abstract

Credit cards are key instruments in personal financial transactions. Credit card payment systems used in these transactions and operated by merchants are often targeted by hackers to steal the card data. To address this threat, the payment card industry establishes a mandatory security compliance standard for businesses that process credit cards. A central pre-requisite for this compliance procedure is to identify the credit card data flow, specifically, the stages of the card transaction processing and the server nodes that touch credit card data as they travel through the organization. In practice, this pre-requisite poses a challenge to merchants. As the payment infrastructure is implemented and later maintained, it often deviates from the original documented design. Without consistent tracking and auditing of changes, such deviations in many cases remain undocumented. Therefore building the credit card data flow for a given payment card processing infrastructure is considered a daunting task that at this point requires significant manual efforts. This paper describes a tool that is designed to automate the task of identifying the credit card data flow in commercial payment systems running on virtualized servers hosted in private cloud environments. This tool leverages virtual machine introspection technology to keep track of credit card data flows across multiple machines in real time without requiring intrusive instrumentation of the hyper visor, virtual machines, middleware or application source code. Effectiveness of this tool is demonstrated through its successful discovery of the credit card data flow of several open and closed source payment applications.