Protecting Cardholder Data-The Third Step In PCI Compliance
More and more consumers are becoming weary of giving out their personal information. And justifiably so. The lessons people learned from letting scammers get a hold of their data were quick and painful. But recently consumers have started questioning the safety of using credit cards even with long established merchants.
A lot of this hesitations stems from the recent stories about serious security breaches at large, national companies. If these companies aren't safe, a consumer might think, then who is?
For this reason the Payment Card Industry instituted the PCI DSS. They knew that if consumers continued to lose confidence in the industry, they could be in a lot of trouble. PCI compliance, then, is required of any merchant who collects, stores, processes, or transmits credit card data. Originally each of the major credit card companies had their own requirements for data security, but they soon realized that a single standard for PCI compliance was likely in everyone's best interests.
The third requirement for PCI compliance says simply: "Protect stored cardholder data." At first glance this seems an overly broad and simplistic requirement. On further inspection, though, it is one of the most important requirements of the PCI DSS, and the individual security controls that make it up are very specific and deserve a lot of attention.
Data encryption is essential to this requirement. There are any number of security measures that should be in place on your system, but unfortunately nothing is perfect. And if a hacker should happen to bypass those measures, proper encryption ensures that they will only find long strings of random gibberish.
The third requirement for PCI compliance also stipulates that a merchant should keep data storage to a minimum. A data retention and disposal policy should be strictly maintained. This is because any data that is held beyond legitimate business or legal need creates an unnecessary risk, and makes you a target for many hackers.
PCI compliance also means that you do not store certain authentication details at all. Even encrypted, these details must not be stored after authorization. This includes PIN numbers and card validation codes. The full content of any track on the magnetic strip is also prohibited. All of these things in the hands of a criminal would give them the ability to reproduce or sell valid credit card accounts. Just don't do it.
The PAN must also be sufficiently masked. This means that only certain digits can ever be displayed on receipts, faxes, or other places where unauthorized people can see them. The PAN should be rendered unreadable wherever it is stored. There are a number of requirements dealing with this aspect because there is a range of uses for them, and individuals who may or may not need access to it. It is vitally important to maintain security around this data.
Protection of data through encryption is vital, but so is the protection of encryption keys. Encryption keys are an important part of PCI compliance because if a criminal should happen to get a hold of them, he or she could view all of your sensitive data.
There should be very few people who have access to those keys, and they should be stored in as few places as possible.
Encryption keys are so crucial that you must fully document and implement all key management processes and procedures for keys used for encryption of cardholder data. This includes: generating strong keys, securely distributing and storing keys, changing them periodically, and destroying the old ones.
The effort you put toward protecting encryption keys should be the same as you put toward securing any other sensitive data.
While this is only the third step toward PCI compliance, it really is one of the most important. And while some of its measures may seem complex, you will be doing what is right for your customers, and, by extension, your business.
Andy Eliason is a writer for Main10, Inc. If you'd like to learn more about PCI compliance visit http://www.braintreepaymentsolutions.com/ or http://www.braintreepaymentsolutions.com/pci-compliance/p/3/
Related Articles:
An Efficient And Powerful Webcam Security Software Revs Up Your Home Security System
Most families do not know that they can easily put up a video surveillance system to make their homes safer with just a personal computer, a webcam, and webcam security software However, there is so much emphasis on cutting-edge hardware
Computer Monitoring Software and Data Recovery Tools: Two Valuable Resources for Cyber Security Awareness Month
October is Cyber Security Awareness Month, but Internet safety and security are year-long practices. Pandora Corp., makers of PC Pandora monitoring software and the Pandora Recovery tool, is stressing importance on two key security areas this month: the ability to track harmful changes to your home computer and recover lost data, and the knowledge that your children are safe when they go online...
Protect Your Computer System with a Comprehensive Security Policy
The most difficult part of creating a Security Policy for your business is determining what, exactly, to include in it. Never heard of a Security Policy before? You're not alone.
Computer Hackers Target Entertainers' Home Computers: LIGATT Security Watch by Gregory Evans
Computer hackers are the new paparazzi. Hackers are now targeting entertainers. In a hacker's chat room, LIGATT Security has learned that hackers are targeting entertainers and their managers' home computers. Seeing how much money can be made from one paparazzi photograph, hackers now have a vested interest in all private photos, family pictures, nude photographs, and personal and sexual video footage; they know that one picture can be sold for hundreds of thousands of dollars to tabloid newspapers all over the world.
SafeHouse Systems Announces All-Inclusive Security System Software Upgrade Program
SafeHouse Systems, located online at safehouse.cc, announces their new, all-inclusive guaranteed one- price support program, which allows communities with old access control security systems or software to migrate to the new SafeHouse Solutions Program. The new plan eliminates recurring service and fuel charges, and features a one-price service solution.
What to Look for in an Orlando Home Security Alarm System
Basically, you need an Orlando Home Security Alarm system so that you can monitor what is happening in your home even while you are not around. But Orlando Home Security Alarm systems do not fit a one-size-fits-all purposes type of model. Rather, every system is designed to perform a certain way to provide the best protection for your home.
Protection Through The Home Security Alarm System
In this increasingly chaotic world, the protection of your home from burglary and invasion seems to be of mounting concern among homeowners. To keep pace with this hyper-vigilance, home security measures are becoming more and more comprehensive; we?ve now moved on to wireless systems that allow us to streamline our security effortlessly. But nothing has maintained its popularity in the protection of our homes like the home security alarm system.
Fully Managed Small Business Hosted VOIP Telephone System Launched by Kinetech Voice Technologies
Kinetech Voice Technologies has launched its "Managed Business Communications Service", or MBCS, for the Small and Medium Size Business Market. MBCS is a fully managed, carrier grade, full featured business class telephone service. The entire system is managed and monitored 24 hours a day, 365 days per year. Small business can now hand off complete responsibility for their communications system to one service provider, who is ultimately responsible for managing the complete customer Quality of Experience- telephone service, network, broadband connection, maintenance, and equipment.
New Hard Drive Destruction Machine For Computer Systems Security Crushes Identity Theft...Literally
For businesses looking to prevent identity theft and comply with federal data security laws about protecting customer privacy such as HIPAA and FACTA, a new machine is available that will physically crush threats to data privacy. The Guardian hard drive destroyer, now available from http://www.hddmachine.com (a website which has short demonstration videos of this machine for those interested), is a portable hard drive destroyer weighing just 140 lbs which plugs into a standard 120v, 3 prong grounded outlet and can be located in the IT department of any business or organization.
Collision Repair Software / Auto Body Software -- Combined Computer Technology Celebrates it's 15th Year
Auto Body Software / Collision Repair Software published by CCT makes jobcosting in a bodyshop easy with integrated accounting. Stuart McColl, President of Combined Computer Technology says, "Thanks to all the autobody shops across the country who have made the CC3 management system the best accounting system available at any price. Fifteen years and going strong - thanks !!!!". www.collisionrepairsoftware.com