When it comes to the Payment Card Industry (PCI) audit, most companies realize quickly that it can be a daunting task to manage these environments and have them tested on an annual basis. Having conducted PCI Penetration Testing for over 10 years, Clear Skies Security has seen a lot of PCI environments and, in turn, has found a lot of security vulnerabilities within these environments. From our experience, we believe one of the best ways to help maintain a PCI compliant infrastructure over the long term is to find ways to minimize the scope of the PCI systems to keep the Cardholder Data Environment (CDE) as small as possible.
This makes keeping up with the management of the security requirements of the CDE much easier to maintain, and therefore reduces the overall risk to the organization. In an effort to help organizations minimize their CDE environments, DataDivider has developed a technology they call Virtual Keypad. “DataDivider’s Virtual Keypad running within DataDivider’s Secure Browser provides the device user the ability to enter numeric digits by mouse or touch without exposing these digits to the local device.” This in turn would keep the local system out of scope for PCI since no PCI data is ever stored, processed, or transmitted on the device while still being involved in the overall process. Clear Skies Security had the opportunity to test and validate DataDivider’s Virtual Keypad functionality in a realistic, true to life, penetration test. This paper provides a summary of the testing that was performed and the results of that testing.