Configure cardholder data storage locations
This section describes the requirements for cardholder data storage locations and how to configure them.
PA-DSS requirement 9 mandates that cardholder data must not be stored on a server that is connected to the internet.
To comply with this requirement, you must do one of the following:
- Disable access from the internet to the server that hosts the Safer Payments instances. Remote VPN access (PA-DSS requirement 10) is not considered as access from the internet, if the VPN tunnel does not end directly on a server that hosts the Safer Payments instances.
- Place the data storage directories on a separate server computer that is not connected to the internet and in a different network zone. If you want to use a storage area network (SAN) instead, additional measures might be needed to achieve PCI DSS compliance. Contact your local Qualified Security Assessor (QSA) for details.
- You must disable the locate commands for the separate server computer. See Disable locate for Safer Payments folders for details.
- Changes to the file storage locations are processed after a restart of a Safer Payments instance. Thus you can move the files while the instance is offline.
Configuration steps
Safer Payments can store cardholder data in a number of locations. To identify and adjust these locations, complete the following the steps.
- Go to the Safer Payments user interface.
- Click the Cluster tab.
- Select a cluster instance from the table.
- Scroll down to the Storage section.
- For each cluster instance, the following directory locations can contain encrypted cardholder
data:
Table 1. Default cardholder storage locations Path name (default) PAN stored as PAN contained in Archive (arc) encrypted archived cases Configuration encrypted conditions Disk data cache (DDC) encrypted attributes and indices Email (eml) masked, PANs are potentially also encrypted notifications and case actions FLI buffer (fli) encrypted FLI messages Investigation (inv) encrypted cases Log (log) masked log messages User (usr) encrypted user preferences Relational database interface (rdi) masked DML statements - You can now change the directory locations according to your configuration. Note: The locations are different for each Safer Payments instance. You must adjust the locations individually for each cluster instance.
Exporting data using external Python programs
Safer Payments can be configured to feed data to external Python programs, which in turn can store that data on the local or a remote machine. If sensitive data is involved, additional measures have to be taken to protect that stored data. See Python code execution for details.
Data export jobs
Data export jobs allow you to export transaction data to a csv file. For example, to use it as training data for an external AI model. Because of this use case, data export jobs offer the option to export encrypted data like PANs as clear text, masked, or hashed. See Figure 1 for an example of those settings.
The hashing algorithm used is SHA256. The job definition includes a salt that is added to the exported values before applying the hashing algorithm. This salt is usually randomly generated using the boost library but can also be generated by a user. The salt is stored encrypted on disk and can only be viewed in the Safer Payments user interface if the user has the global privilege to change job definitions. If a user doesn’t have the privilege, the salt is not delivered to the user interface and the field shows a random value with no meaning.
Whenever sensitive data is exported as clear text, you must make sure that the resulting export file is securely stored according to PCI DSS requirements 3.4.1, 3.5, 3.6, and all applicable subrequirements.
Whenever hashing is used together with masking, you must be aware that an attacker who gains access to the exported file and knowledge of the salt is able to reconstruct the plain text version of this data.
Simulation Query Data Export
The simulation query allows you to export transaction data to a .csv file. As with data export jobs, this data might be used to train an external AI model. For data that is encrypted within Safer Payments, it is possible to export the data as clear text, masked, or hashed.
The hashing algorithm that is used is SHA256, and as with data export jobs, the salt is usually generated randomly using the boost library but can also be specified by a user. The salt is stored encrypted on disk and can be accessed only within Safer Payments by users who have the privilege to see unmasked data. This can be set in the user account settings. Users without this privilege can only use reduced simulation query data export options.