Open PCI Toolkit: Backup Server Categorisation

TL;DR

This guide explains how to correctly categorise backup servers within the Open PCI Scoping Toolkit (OPCT). Accurate categorisation is vital for a correct PCI DSS scope. We’ll cover identifying different types of backups and assigning them the appropriate risk level.

Categorising Backup Servers

1. Understand the Types of Backups: First, you need to know what kind of backups you have. Common types include:
   • Full Backups: Complete copies of all data.
   • Incremental Backups: Copies only changes since the last backup (full or incremental).
   • Differential Backups: Copies changes since the last full backup.
   • Synthetic Full Backups: Created from a full and incrementals, without directly reading production data.
2. Identify Backup Destinations: Where are your backups stored? This is crucial for categorisation:
   • On-site Storage: Disks, tapes, NAS devices in the same physical location as your PCI DSS environment.
   • Off-site Storage: Cloud storage, remote data centres, or physically transported media.
   • Third-Party Providers: Backups managed by an external company.
3. Categorisation Rules (Based on OPCT): Use these rules to assign a category:
   1. Category 1 – In Scope: Backup servers that contain full copies of cardholder data and are directly accessible from the PCI DSS environment.
      • If backups can be restored directly into your production environment without significant modification, they’re likely Category 1.
      • This includes on-site full backups and off-site backups if restoration is straightforward.
   2. Category 2 – Potentially In Scope: Backup servers that contain cardholder data but require significant modification or reconstruction before being usable.
      • Examples include incremental/differential backups needing a full backup to restore, or synthetic fulls.
      • Also includes off-site backups where restoration is complex and requires manual intervention.
   3. Category 3 – Out of Scope: Backup servers that do not contain cardholder data.
      • This might include backups of operating system files or applications without sensitive information.
      • Verify this carefully! Even seemingly innocuous backups could contain traces of cardholder data.
4. Third-Party Risk Assessment: If using a third-party backup provider:
   • Obtain their PCI DSS Attestation of Compliance (AoC) or Report on Compliance (RoC).
   • Review their scope to ensure your data is protected appropriately.
   • Document the shared responsibility model – what they are responsible for, and what you are.
5. Documentation in OPCT: Record each backup server’s details within the toolkit.
   • Specify the type of backup (full, incremental, etc.).
   • Indicate the storage location (on-site, off-site, third-party).
   • Assign the correct category (1, 2, or 3) with clear justification.
6. Example Scenario: You have a daily full backup stored on-site and replicated to AWS S3.
   • The on-site backup is Category 1 (full copy, direct restoration).
   • The AWS S3 backup is likely Category 2 unless you have automated processes for restoring directly from S3. Manual intervention would push it to Category 2.

Important Considerations

• Encryption: Encrypt backups both in transit and at rest, regardless of category. This is a PCI DSS requirement.
• Access Control: Restrict access to backup servers to only authorised personnel.
• Regular Review: Re-evaluate your categorisation periodically (at least annually) or whenever there are significant changes to your environment.