Cyber-criminals are becoming more adept at stealing credit card information all the time. Organizations that handle or process card data in any capacity must take the necessary precautions to protect that data. At the very least, they should ensure they’re in compliance with the Payment Card Industry Data Security Standard (PCI DSS), developed to encourage and enhance cardholder data security across the globe.
The PCI DSS defines 12 requirements that companies should follow if they handle or process credit card data. The companies can include merchants, service providers, financial institutions, or even the businesses issuing the cards. No institution is exempt.
The PCI standard addresses such issues as building and maintaining a secure infrastructure, protecting cardholder data, maintaining a vulnerability management program, and implementing strong access control measures. The requirements also provide for regularly monitoring and testing networks as well as maintaining an information security policy.
According to the PCI standard, information related to credit cards can be divided into two broad categories: cardholder data and sensitive authentication data.
Cardholder data includes the primary account number (the number on the front of the credit card), the cardholder’s name, the card’s expiration date, and a three- or four-digit service code on the magnetic stripe that defines service attributes. Organizations handling credit cards can store any of the cardholder data, as long as they adhere to the PCI DSS requirements governing data storage and transfer.
Sensitive authentication data includes the security code (CAV2, CVC2, CVV2, CID), the user’s credit card PIN, and the full track data. Full track data refers to the entirety of data stored on a card’s magnetic stripe or within the card’s chip. It includes the cardholder data as well as the authentication data and any proprietary information used by the card issuer. Organizations can store only the information considered part of the cardholder data. Everything else is off limits.
A company handling credit card data must follow strict guidelines at all times when storing and transmitting card-related information. For example, the PCI DSS specifies what part of a personal account number can be revealed and what part must be mashed. It also specifies that the account number must be unreadable wherever it’s stored, using such means as truncation, one-way hashes, index tokens and pads, or strong cryptography with associated key management.
In addition to the existing requirements that apply to all organizations handling card data, the PCI DSS also lists requirements specific to shared hosting providers, such as restricting each subscriber’s access and privileges to its own cardholder data. Plus, the PCI DSS provides information that assessors can use to evaluate whether an organization is in compliance with the standard’s most recent requirements.
The PCI DSS is a comprehensive and complex set of standards and should be reviewed carefully by any organization that plans to or already is handling credit card data. A good place to start is with the PCI Security Standards Council’s website. There you’ll find plenty of information about the council and the standards so you can be sure you’re in compliance with the PCI DSS and are adequately protecting all credit card data.
You can stay compliant with external security standards such as HIPAA, SOX, PCI DSS, GLBA, FISMA, etc. with Lepide’s change auditing solutions.