What are PCI DSS Backup Requirements

For companies that handle and process credit cardholder data, including e-commerce, retail, or franchise, the Payment Card Industry Data Security Standards (PCI DSS) are the official security guidelines set by major credit card brands.

PCI DSS requirement 12.10.1 is primarily concerned with emergency response plans, but about reserves, it states:

Create an incident response strategy that will be implemented if a system is breached. Make sure the program addresses the following as a minimum:

  • Roles, responsibilities, and communication and communication strategies in the event of a compromise, including as a minimum notification of payment marks
  • Special incident response procedures
  • Business recovery and continuity procedures
  • Data backup operations
  • Analysis of legal requirements to report settlements
  • Scope and responses of all critical system components
  • Reference or inclusion of incident response procedures from payment brands

In addition, PCI DSS requirement 9.5 requires a data backup plan, disaster recovery plan, emergency operations plan, testing and revision processes, and implementation and data criticality analysis.

Part of the physically secure environment that hosts cardholder data is storing media backups in a safe location. Otherwise, media backups containing cardholder data can easily be lost, stolen, or copied for malicious purposes.

Therefore, PCI DSS Requirement 9.5.1 requires that you store media backups in a secure location, preferably an off-site facility such as an alternate or backup site or a commercial storage facility, and review the location’s security at least annually.

To comply with PCI DSS Requirement 9.5.1, you must visit the location of media backups at least annually to ensure data is still physically secure. These annual visits and audits allow you to address security concerns promptly and minimize risk.

What Should Be Considered When Outsourcing a Backup Solution?

Therefore, in a PCI-compliant data center where you host your backups, there should be limited access authorization, dual identity control access to the servers. It should also have appropriate physical security, including monitoring, recorded surveillance, alarm systems, and complete environmental control. Your PCI auditor will observe your testing procedures and the physical safety of the storage location.

See Also: PCI Compliant Data Center Requirements

Ideally, if you are outsourcing your disaster recovery solution, you can only partner with a disaster recovery provider that allows physical tours and inspections of facilities.

You should note that your PCI disaster recovery provider meets the following:

  • Documentation such as policies and procedures, process documents, training records, incident response, and data breach plans should be complete.
  • Provide evidence that all PCI compliance requirements are in place and are adequately compliant under their contract.

Why is PCI DSS Compliant Backup Important?

Data security encompasses network security, physical security, and file security and protects data from unauthorized access, use, alteration, disclosure, and destruction.

Data storage means keeping your data files in a safe place where you can easily access them. Data backup, by contrast, means saving additional copies of your data in physical or virtual locations separate from data files in storage.

See Also: PCI SIEM Requirements

PCI DSS compliant backup is the standard compliance required for all businesses that accept card payments. Security controls applied to cardholder data reduce payment card fraud.

Misuse of customer card data can result in hefty fines that often catch businesses when they least expect it, or worse, end the ability to accept card payments.

Off-site, an expertly maintained backup solution is the best way to ensure PCI compliance and ensure business continuity and protect your reputation in the marketplace.

It is essential to protect, store and back up your data regularly. If you lose your data, recovery may be slow, costly, or impossible. Ensuring the security of your data will help prevent:

  • Accidental or malicious damage or alteration of data
  • Theft of valuable data
  • Violation of confidentiality agreements and privacy laws
  • Premature release of data that could invalidate intellectual property claims
  • Publish before data is checked for accuracy and authenticity

Keeping reliable backups is an essential part of data management. Regular backups protect against the risk of damage or loss from hardware failure, software or media failures, viruses or hacking, power outages, or even human error.

The standard for success in protecting customer data, PCI DSS, is the industry standard of 12 security requirements to minimize the risk of data theft and fraud. It is governed by the PCI Security Standards Council (PCI SSC), and payment brands and buyers enforce compliance. Implementing the correct procedures for the PCI security standard rests with the business, not the customer.

Backing up payment card data is imperative for the smooth running of your business. Ignorance will leave companies to violate the PCI DSS standard, but ensuring compliance with the industry standard is easy with action.

Do Backup Service Providers Need to Be PCI DSS Compliant?

If your backups contain potential cardholder data, the backup service provider must be PCI compliant as this can affect the security of cardholder data. Your company should work with an approved service provider, as it is possible for the provider of backups to jeopardize cardholder data security.

See Also: What Are the PCI DSS Third-Party Service Provider Management Requirements

If your service provider encrypts your data, you should also know if your service provider can decrypting the backup information if they want it. To fully ensure the security of the card data, encrypting the data before sending it to backup will increase the security of your data.

If you as an organization store your media backups in an off-site facility, you should visit this facility and service provider at least once a year and make sure the data is still physically secure.

Data Backup Security Best Practices

Backups are an essential part of storage security and overall company resilience, but they are also a common source of security issues. Mismanagement of data backups is responsible for a large percentage of security breaches.

Not having a solid backup infrastructure or a good fallback plan when the going gets tough can have one of the worst possible security implications. Therefore, it is vital to include secure data backup guidelines as part of the overall enterprise information security program.

Security must be considered for all copies of your data, including your backup copies and archived copies.

  • Keep sensitive data off the Internet.
  • Store sensitive data on computers that are not connected to the Internet.
  • Restrict access to buildings and rooms where backup media is kept.
  • Allow only trusted people to access and troubleshoot backups.
  • Keep virus protection up to date.
  • Do not send your backups containing sensitive data via e-mail or FTP.
  • Use encryption if you need to send backups containing sensitive data.
  • Use strong passwords on files and computers.

Here are some of the most effective methods for keeping your data backups safe and secure from unwanted threats:

Include backup in your security strategy

Make sure your security policies include backup-related systems within their scope. Any security policy, from access control to physical security, system monitoring, and especially malware protection, also applies to direct data backups, and you should implement it.

Include backup systems in your Disaster Recovery strategy

Disaster recovery and incident response plans should include your data backup methods. In an environmental condition such as a ransomware epidemic, employee intrusion, or flood, data backups can be breached, compromised, or destroyed. Your good backups may be harmed if you don’t have a catastrophe recovery strategy in place for your backups. If you had a plan in place that specified how you would handle backups in the event of a disaster, it would be beneficial.

Limit access rights to data backups

Assign backup access rights only to individuals or organizations that need to be involved in the backup process. Access rights apply to actual backup files as well as backup software. Don’t overlook systems that provide backup access, both on the local network and in the cloud.

Consider different backup locations.

Store your backups off-site, or at least in another building. A natural disaster, fire, or other rare but effective events can wipe out your data center and backups in one fell swoop. A different location that will not be exposed to the same risks will keep your backups safe.

Limit physical access to data backups

Ensure physical security by using your backup files like any other critical hardware. If you choose to store your backups on backup servers, NAS, or even external drives or tapes, ensure that access to these locations is tightly secured. You can verify the physical safety of your backups through SOC audit reports, independent security assessment reports, or your audits.

Ensure backup media devices are protected

Although common practice today is to store backups on hard disks or solid-state drives, some backups are still stored on removable drives, tapes, and related media. In this case, you must use a fireproof and media-rated enclosure.

Many institutions store their backups in a fireproof safe, but often these safes are rated for paper storage only. Backup media such as tapes, optical discs, and magnetic drives have a lower burning and melting point than paper. A standard fireproof enclosure only serves to provide a false sense of security.

Evaluate your suppliers’ security measures

Know the security measures your data center, cloud, and courier service providers take to ensure backups stay safe in their hands. Good contracts with your service providers are not enough. Contracts offer fallback measures, but they do not prevent sensitive data from being exposed in the first place. Therefore, make sure that your supplier takes reasonable and consistent security measures.

Make sure your network is secure.

Store backups in a separate file system or cloud storage service located on a physically or logically separated network. Unique login credentials outside of the corporate directory service are ideal for helping minimize the risks associated with ransomware. Multi-factor authentication will add a layer of security to your backup environment.

Prioritize backup encryption

Encrypt your backups wherever possible. As with laptops and other mobile devices, backup files and media should be encrypted with strong passwords or other centrally managed encryption technology.

See Also: Encryption Key Management Essentials

Properly implemented and managed encryption acts as an excellent last layer of defense. Encryption can be beneficial when it comes to PCI compliance and data breach notification requirements. Also, the worst outcome is the loss or other alteration of your backup files, but it will be comforting to know that encrypted data cannot be read or modified.

Make extensive backups and test regularly.

Your backups are only as good as those on the backup media. First, make sure you back up everything necessary. Many backups are server- or application-centric, but it can be all that unstructured data scattered across your network and cloud and not backed up.

Also, test your backups occasionally, especially if you’re not getting any errors with your backups. Periodically test your backups to find out that your backups are not legitimate or that you have backed up incorrect data or no data at all.

Take a look at both your data backup processes and systems to identify where gaps in your backup processes are regularly or hire an unbiased third party to spot any shortcomings.

Surkay Baykara
Surkay Baykarahttps://www.pcidssguide.com
A passionate Senior Information Security Consultant working at Cyberwise. Over the past 15+ years my professional career has included several positions beginning as a developer and IT administrator, working my way up to a senior Technical Performance Consultant before joining Biznet back in 2015. I had several different roles at Cyberwise, including Penetration Tester and PCI DSS QSA. In my job as a QSA, I found my passion and worked closely with the Audit and Compliance team. I've been working inside InfoSec for over 15 years, coming from a highly technical background. I have earned several certifications during my professional career including; CEH, CISA, CISSP, and PCI QSA.

More from author

VPN uses: 7 things you didn’t know a VPN could do

Virtual Private Networks, or VPNs, are mostly used for online privacy. But they are much more than that and can help you in various situations.

Understanding the Criminal’s Mind: Why You Must Be Careful Online

This article overviews the most common and most dangerous online crime methods and the people behind them.

IT staff augmentation: modern guidelines to boosting your team’s capacity and opportunities

This article offers modern guidelines for leveraging IT staff augmentation to boost your team's capabilities and unlock new opportunities.

Related posts

Latest posts

VPN uses: 7 things you didn’t know a VPN could do

Virtual Private Networks, or VPNs, are mostly used for online privacy. But they are much more than that and can help you in various situations.

Understanding the Criminal’s Mind: Why You Must Be Careful Online

This article overviews the most common and most dangerous online crime methods and the people behind them.

IT staff augmentation: modern guidelines to boosting your team’s capacity and opportunities

This article offers modern guidelines for leveraging IT staff augmentation to boost your team's capabilities and unlock new opportunities.

Want to stay up to date with the latest news?

We would love to hear from you! Please fill in your details and we will stay in touch. It's that simple!