Problem
All entities that store, process, or transmit cardholder data are required to comply with and annually assess on the Payment Card Industry (PCI) Data Security Standard (DSS). This includes merchants (such as retailers), service providers, acquirers (banks), and card issuers, as well as third parties who share cardholder data and those that may affect the security of the entity’s cardholder data. Additionally, software vendors developing payment applications that are part of the authorization and settlement process must comply with and assess on the Payment Application Data Security Standard (PA-DSS).
This statement presents the NetBackup product team’s interpretation of the PCI DSS and PA-DSS requirements as they apply to data protection in general and specifically to NetBackup and PureDisk.
Solution
The main aim of the PCI DSS and PA-DSS is to guard against the fraudulent use of payment cards by ensuring that cardholder data is protected against misuse. This generally means controlling access to and encrypting any cardholder data, including but not necessarily limited to the Primary Account Number (PAN, or the sixteen digit card number) which is required for payment authorization and settlement.
In reviewing the PCI DSS and PA-DSS requirements in conjunction with Veritas’s Lead QSA, the NetBackup product team recognizes that the PCI standards call for the protection of cardholder data stored on backup storage through mechanisms such as access control and proper encryption, similar to requirements for primary storage. According to the PCI DSS and PA-DSS requirements, electronic cardholder data subjected to PCI must be encrypted to a particular standard in ALL locations where it is stored.
If the cardholder data being backed up is already appropriately encrypted and the act of backing up the data does not decrypt it, no additional encryption would be required to maintain PCI complaince.
Our conclusion is that the use of additional encryption on backups containing cardholder data should be at the discretion of the customer, who should validate that any encryption enforced on the primary storage remains in effect when the data is written or read by the backup utility. Assuming that the act of working with the data does not decrypt it, the absence of backup encryption or the level of backup encryption used should not impact PCI compliance.
Veritas would always advise customers who are writing backups to removable storage, which may be transferred to a remote location for storage, encrypt that copy of their backup whether or not the data it contains is subject to regulations such as PCI. Both of NetBackup’s tape encryption solutions, Media Server Encryption Option and Key Management Service (used with SCSI T10 devices) offer encryption mechanisms that meet the requirements of the PCI standard.
Veritas would also advise customers addressing this situation to discuss their specific circumstances and strategy with their PCI Qualified Secuirty Assessor (QSA), PCI Internal Secuirty Assessor (ISA), acquirer and/or card brands.
Was this content helpful?
Translated Content
Please note that this document is a translation from English, and may have been machine-translated. It is possible that updates have been made to the original version after this document was translated and published. Veritas does not guarantee the accuracy regarding the completeness of the translation. You may also refer to the English Version of this knowledge base article for up-to-date information.