I am having trouble locating a clear PCI DSS definition for "Storage" and wether or not Microsoft BizTalk could be considered within that definition. Could an overloaded BizTalk server or failed orcestration constitute storage even if only momentary?
-
Per above answer from Jonah B, what is your source for this statement? I understand the assumption, but don't know that I've seen that defined. – Todd Becker Apr 19 '17 at 19:06
2 Answers
I doubt you will find a specific definition of storage from the PCI DSS since there are just so many different ways of perceiving when data is "stored". A quick poll of 3 other QSAs around me could not reach consensus immediately if BizTalk only stores information if overloaded or even when it is operating normally. Cache files etc can all play a role even if you don't normally see or expect it.
One thing we all do agree on is that it ultimately does not matter in your scenario based on the information you provided. PCI DSS applies to all systems if it processes, transmits or stores cardholder data. Clearly BizTalk is used to Process and Transmit information at the very least. If the system has the potential to store information when overloaded, it needs to be considered and all applicable controls put in place to safeguard card holder information.
- 1,214
- 1
- 11
- 16
PCI DSS is concerned about the presence of cardholder or sensitive data on durable storage media, whether the functional purpose is temporary- as in a cache or queue or in swap- or permanent.
Durable storage opens up additional opportunities for exposure, no matter what the purpose, and expands the scenarios in which failures can lead to compromise.
Use of durable storage for temporary purposes usually has to be accompanied with controls to prove that sensitive or cardholder data is securely wiped even in failure scenarios.
- 3,359
- 12
- 20