A3.2.5 A data-discovery methodology is implemented that:

Defined Approach Requirements

A3.2.5 A data-discovery methodology is implemented that:

• Confirms PCI DSS scope.
• Locates all sources and locations of cleartext PAN at least once every three months and upon significant changes to the CDE or processes.
• Addresses the potential for cleartext PAN to reside on systems and networks outside the currently defined CDE.

PCI DSS Reference: Scope of PCI DSS Requirements

Customized Approach Objective

This requirement is not eligible for the customized approach.

Defined Approach Testing Procedures

A3.2.5.a Examine the documented data-discovery methodology to verify it includes all elements specified in this requirement.

A3.2.5.b Examine results from recent data discovery efforts, and interview responsible personnel to verify that data discovery is performed at least once every three months and upon significant changes to the CDE or processes.

Purpose

PCI DSS requires that, as part of the scoping exercise, assessed entities must identify and document the existence of all cleartext PAN in their environments. Implementing a data-discovery methodology that identifies all sources and locations of cleartext PAN on systems and networks outside the currently defined CDE or in unexpected places within the defined CDE—for example, in an error log or memory dump file— helps to ensure that previously unknown locations of cleartext PAN are detected and properly secured.

Examples

A data-discovery process can be performed via a variety of methods, including, but not limited to 1) commercially available data-discovery software, 2) an in-house developed data-discovery program, or 3) a manual search. A combination of methodologies may also be used as needed.

Regardless of the method used, the goal of the effort is to find all sources and locations of cleartext PAN (not just in the defined CDE).

Sub-Requirements

• A3.2.5.1 Data discovery methods are confirmed
• A3.2.5.2 Response procedures are implemented