Configure cardholder data storage locations

This section describes the requirements for cardholder data storage locations and how to configure them.

PA-DSS requirement 9 mandates that cardholder data must not be stored on a server that is connected to the internet.

To comply with this requirement, you must do one of the following:

  • Disable access from the internet to the server that hosts the Safer Payments instances. Remote VPN access (PA-DSS requirement 10) is not considered as access from the internet, if the VPN tunnel does not end directly on a server that hosts the Safer Payments instances.
  • Place the data storage directories on a separate server computer that is not connected to the internet and in a different network zone. If you want to use a storage area network (SAN) instead, additional measures might be needed to achieve PCI DSS compliance. Contact your local Qualified Security Assessor (QSA) for details.
Note:
  • You must disable the locate commands for the separate server computer. See Disable locate for Safer Payments folders for details.
  • Changes to the file storage locations are processed after a restart of a Safer Payments instance. Thus you can move the files while the instance is offline.

Configuration steps

Safer Payments can store cardholder data in a number of locations. To identify and adjust these locations, complete the following the steps.

  1. Go to the Safer Payments user interface.
  2. Click the Cluster tab.
  3. Select a cluster instance from the table.
  4. Scroll down to the Storage section.
  5. For each cluster instance, the following directory locations can contain encrypted cardholder data:
    Table 1. Default cardholder storage locations
    Path name (default) PAN stored as PAN contained in
    Archive (arc) encrypted archived cases
    Configuration encrypted conditions
    Disk data cache (DDC) encrypted attributes and indices
    Email (eml) masked, PANs are potentially also encrypted notifications and case actions
    FLI buffer (fli) encrypted FLI messages
    Investigation (inv) encrypted cases
    Log (log) masked log messages
    User (usr) encrypted user preferences
    Relational database interface (rdi) masked DML statements
  6. You can now change the directory locations according to your configuration.
    Note: The locations are different for each Safer Payments instance. You must adjust the locations individually for each cluster instance.

Exporting data using external Python programs

Safer Payments can be configured to feed data to external Python programs, which in turn can store that data on the local or a remote machine. If sensitive data is involved, additional measures have to be taken to protect that stored data. See Python code execution for details.

Data export jobs

Data export jobs allow you to export transaction data to a csv file. For example, to use it as training data for an external AI model. Because of this use case, data export jobs offer the option to export encrypted data like PANs as clear text, masked, or hashed. See Figure 1 for an example of those settings.

Figure 1. Data export options for encrypted attributes
This image is explained in the surrounding text.

The hashing algorithm used is SHA256. The job definition includes a salt that is added to the exported values before applying the hashing algorithm. This salt is usually randomly generated using the boost library but can also be generated by a user. The salt is stored encrypted on disk and can only be viewed in the Safer Payments user interface if the user has the global privilege to change job definitions. If a user doesn’t have the privilege, the salt is not delivered to the user interface and the field shows a random value with no meaning.

Whenever sensitive data is exported as clear text, you must make sure that the resulting export file is securely stored according to PCI DSS requirements 3.4.1, 3.5, 3.6, and all applicable subrequirements.

Attention: Users without the global privilege to view unmasked data inside of the application can still gain access to such data in clear text by accessing an exported file, if that file is not properly protected.

Whenever hashing is used together with masking, you must be aware that an attacker who gains access to the exported file and knowledge of the salt is able to reconstruct the plain text version of this data.

Simulation Query Data Export

The simulation query allows you to export transaction data to a .csv file. As with data export jobs, this data might be used to train an external AI model. For data that is encrypted within Safer Payments, it is possible to export the data as clear text, masked, or hashed.

Figure 2. Simulation query data export options for encrypted attributes
This image is explained in the surrounding text.

The hashing algorithm that is used is SHA256, and as with data export jobs, the salt is usually generated randomly using the boost library but can also be specified by a user. The salt is stored encrypted on disk and can be accessed only within Safer Payments by users who have the privilege to see unmasked data. This can be set in the user account settings. Users without this privilege can only use reduced simulation query data export options.

Figure 3. Reduced Simulation query data export options for users without the privilege to see unmasked data
This image is explained in the surrounding text.
Whenever sensitive data is exported as clear text, PCI DSS Requirements 3.4.1, 3.5, 3.6, and all applicable subrequirements mandate that the export file is securely stored.
Attention: Users without the global privilege to view unmasked data inside the application can still gain access to such data in clear text by accessing an exported file, if that file is not properly protected.
Whenever hashing is used together with masking, you must be aware that an attacker who gains access to the exported file and knowledge of the salt can reconstruct the plain text version of the data.