Requirements for Encryption of Payment Card Data

Posted on by Robert Moskowitz

There are many specific criteria that must be met in order to comply with requirements for cardholder data encryption for credit and debit cards. The Payment Card Industry Data Security Standard (PCI DSS) provides specific security measures designed to protect cardholders—as well as merchants, processors, acquirers, issuers, and service providers (and others in the industry) from malicious attempts to acquire sensitive information.

5 Things to Know About Data Encryption

If you accept or handle credit or debit, requirements 3 and 4 of the PCI DSS are especially important.

Requirement 3 of the PCI DSS is to protect stored cardholder data. It involves a comprehensive set of requirements designed to restrict access both to cardholder data and to relevant cryptographic keys, and also to split both data recording and data management protocols to enhance security

Requirement 4 is to encrypt transmission of cardholder data across open, public networks. It includes strict standards for cryptographic and security protocols concerning all cardholder data transmitted over the internet, 802.11 and Bluetooth connections, cellular systems, General Packet Radio Services, and Satellite communications, specifically requiring the full documentation and use of "industry best" practices.

Here are five other important things you need to know about data encryption:

1) It's important to demonstrate that strong data encryption is used not only for cardholder data, but for the passwords and keys used to encrypt/decrypt that data.

2) When using disk-level encryption, passwords and other user authentications must not be the same as those for the operating system.

Disk-level encryption systems effectively encode all data on a particular disk or disk partition, automatically encrypting and decrypting the information if, as, and when accessed by an authorized user. This often happens without any special user input or activity, except to supply an identifying password at the start of a session. To help prevent security breaches, users must have their own unique data access passwords that are unrelated to login credentials used for the overall network.

3) Encryption/decryption keys must be stored in suitably secure formats.

Cryptographic keys must be strongly protected by an encryption key, within a secure device, or as multiple, full-length key components because anyone who obtains a decryption key will gain access to cardholder data. If the keys are themselves encrypted, their protection must be at least as strong as the weakest data-encrypting key itself. All encryption keys must be adequately protected from disclosure and misuse.

4) Sensitive information must be encrypted for transmission over suspect networks.

Outsiders and malicious individuals routinely target vulnerable elements of data transmission systems. For this reason, cardholder information should always be transmitted in encrypted form using proper encryption strength, trusted encryption keys, and secure transport protocols (such as TLS v1.1 or later), with unexpired certificates obtained from a recognized, public certificate authority.

5) All technology in use must properly authenticate and encrypt all sensitive communications.

When technology is used without the capabilities to encrypt sensitive data, and also to properly authenticate all users by such methods as user IDs and passwords, network tokens, VPNs, and so forth, there remains too much potential for malicious individuals to access sensitive cardholder data. The weakest link in the data security chain determines the protective power of the overall system.

Additional Requirements

Additional requirements include mechanisms to:

  • Maintain information security policies covering all personnel
  • Protect stored cardholder data
  • Protect systems against malware
  • Protect the cardholder data environment, even on shared hosts
  • Regularly test security systems and processes
  • Restrict access to cardholder data
  • Track and monitor all data access

In all, 12 data security requirements must be tested and proven before a company working with credit and debit cardholder information can be considered in compliance with industry standards.

Robert Moskowitz

, New Mobility Partnerships

data security data loss prevention

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs