What is the best practice in terms of data locality in PCI DSS compliance world?
Can I store data PCI/PII data (nope, we are not storing any of the CC#, CVV, or any magnetic stripe data) from one country in another country?
Say for example, the merchant is doing his business in Europe (say France or Germany) and the merchant server and DB is in US, will that be considered against PCI compliance?
PCI doesn't mandate to keep the data locally. They just want you to ensure that the data, wherever stored, is according to PCI DSS regulations. Moving or storing the data outside of the country is generally regulated by the Govt. of that particular country. Like in the case of India, entities were storing the data outside of India but after the RBI(Reserve Bank of India, India's central banking institution, which controls the monetary policy of the Indian currency) regulation was passed to migrate the data (transaction data and its metadata) back to India, all the companies had to do so and provide a declaration.
Best practice is to use a hsm locally. This tokenize all sensitive datafields into hashes. Then the data can be distributed. All reverse lookups have to be authenticated and logged locally with the hsm.
Related
I would like to know if transaction payload in Hyperledger Fabric transaction flow is visible to the ordering nodes.
The goal is to create a private channel, where only the owners of the peers have the possibility to see the payloads and therefore what is saved in the ledger, while we would like to increase the decentralization of the network by distributing the orderer nodes to multiple organization, but it is important that these orderer nodes never know the transaction payload and what is saved on the blockchain.
In my opinion is something possible but I would like to be sure because is a crucial point of the architecture's design.
Orderers do see the data recorded in the ledger by a transaction. If it really isn't practical to have orderers owned by the same set of organisations that own network peers, you might be able to use private data collections:
https://hyperledger-fabric.readthedocs.io/en/latest/private-data/private-data.html
Data stored in private collections is shared directly between peers with permission to view that collection, and only a hash of the data is stored in the main ledger and visible to orderers.
I'm currently new developping large scale webservices and I'd like to retrieve IP addresses from visitors to make some stats about the country/state of origin.
Is it allowed to take IP addresses from clients for internal use?
As this is a kind of personal information, I wonder if it is legal or not retrieving it.
It's not possible for you not to know the client IP (because your site couldn't work without it), but you don't have to keep it. From a GDPR perspective, data is only "personal data" if it can be linked to an individual (even indirectly), so for example you could take the client IP, do some kind of GeoIP lookup on it (preferably local), and then increment a country counter. Then you can simply discard the IP, and the aggregate data you retain has no way of being connected back to an individual, so it's not personal data.
A very simple approach would be a table like this:
Country
Count
France
2
Germany
4
USA
10
So you would just bump the count for the country each time. This gives you the data you're after, but without any privacy impact for your users, and no GDPR exposure.
I am unsure of how I can use the SAP BW data. Is there a standard license-compliant way to export data from SAP BW to an Azure-server?
My company is using SAP, and I want to analyze our financial data in PowerBI or PowerPivot. My plan is to create different reports for different groups. The underlying data will however be the same for all and I would therefore benefit from setting up a centralized database where all relationships and meassures are created and stored (I think Analysis Services and a Storage Account in Azure would do the trick). I would then create PowerBI or PowerPivot reports that connect to the centralized database.
Through the SAP Excel-plugin Analysis for Office I can extract the data (I only need 2 Analysis-reports with a few 100 000 rows each). The data consists of one data set with a P&L with distributed income and costs / profit centre / month and one with production data / profit centre / month. 5 years of actuals and a few budget periods.
My concern is whether our license permits extraction of the data as described above. Our IT-people says a license for importing data into a different BI-system cost at least 50 000 EURO (which is way beyond my budget).
My questions are thus:
Is the discribed process permitted or forbidden according to standard SAP licence? I only use their own data extraction tool (Analysis) in a completely normal way and then do some analysis on that...
If forbidden, is there a work-around with the same end-result (centralized database with PowerBI & PowerPivot reports)? Are here for example different levels of data that are allowed to extract and levels that are not? How will I know what is ok and what is not ok?
PS.
I have already tried to connect PowerBI directly to the BW, but that gives me low flexibility and because of the the limited data volume I think an import would be advantageous anyhow (faster, easier to modify the data and combine it with other data sets and parameters).
DS.
I would say permitted as long as it's for yourself. But as soon as you start to distribute the exported data to other users, SAP would like to have a license fee, no matter HOW you distribute. Exception is if the other user already have an SAP license for the data. The key here is "indirect usage", quite extensivly discussed in media the last couple of years.
Your best bet is to study "indirect usage" and then contact your SAP account manager, since any approach here most likely violates the license agreement.
We need to store last 4 digits of credit card, (in order to let customers know which card they have used?) and expiry date (to notify customers that their card is about to expire) for our subscription/recurring payment based SaaS application.
are those two data storage allowed in PCI DSS? Please answer with reference/link to official website or document.
Please note: We are not storing Name On Card and CVV numbers
You should be ok w regard to PCI regulations.
This table lays out what data can be stored:
https://www.pcisecuritystandards.org/pdfs/pci_fs_data_storage.pdf
"If required for business purposes, the cardholder’s name, PAN, expiration date, and service code may be stored as long as they are protected in accordance with PCI DSS requirements."
-edit-
According to the bottom table in that doc, it says you should be able to store those elements. Since you are not storing full PAN, Regulation 3.4 shouldn't apply to the other elements.
If it helps, we got Level 1 certified and we store last 4 and expiration date in clear text. You don't need audited unless you are Level 1 (assuming Merchant here, not Service Provider).
From what I am reading within the PCI Data Storage Do's and Don'ts PDF (https://www.pcisecuritystandards.org/pdfs/pci_fs_data_storage.pdf)
You are able to store the expiration date, service code, and cardholder name so long as you do NOT store the PAN.
Direct quote from the PDF:
These data elements must be protected if stored in conjunction with the PAN. This protection should be per PCI DSS requirements for general protection of the cardholder data environment. Additionally, other legislation (e.g., related to consumer personal data protection, privacy, identity theft, or data security) may require speci c protection of this data, or proper disclosure of a company’s practices if consumer- related personal data is being collected during the course of business. PCI DSS, however, does not apply if PANs are not stored, processed, or transmitted.
Do we need to encrypt all customer information like first name, last name,address or only those data which are related with card payment.
Encrypting any Personally Identifiable Information (PII) is actually a pretty good practice if you can do it.
Pages 7 & 8 of the PCI DSS security standard tell you what needs to be encrypted. The fields in the category of cardholder data all need to be encrypted if stored/transmitted with the PAN. This includes card holder name (among other data), but does not include the card holder address.