The Necessity Of Credit Card Data Encryption

The Necessity Of Credit Card Data Encryption

by Andy Eliason

The Payment Card Industry Data Security Standard (PCI DSS) mandates that anyone who stores, processes, or transmits sensitive credit card data must be PCI compliant. In other words, they must conform to a set of standardized security measures.

Credit card data encryption is one of the most essential parts of reaching PCI compliance. Unfortunately, it can also be one of the more difficult procedures to implement since many companies don't understand exactly what credit card data encryption entails, and exactly what measures are considered sufficient.

The third requirement of the PCI DSS states simply: Protect cardholder data. This is a fairly broad requirement, but credit card data encryption is still a critical part of it. The main reason for this rests on the fact that no matter what kind of other security measures you've put up to block intrusions, chances are there's a criminal out there who can find that utterly obscure and inconceivable hole in which to get through.

If your information is properly encrypted, however, all they will find is a string of useless gibberish that will mean nothing to them.

Unless, of course, they've managed to get a hold of your encryption keys.

For that reason, the third requirement of the PCI DSS also deals with the proper ways to store and handle encryption keys. A merchant must protect those keys against disclosure and misuse, which implies a variety of practices that need to be used. These include: restricting access to the keys to as few people as possible and storing the keys in as few places as possible.

You are also required to fully document all key management processes and procedures for keys used for credit card data encryption. This includes a range of practices including: generating strong keys, distributing them through secure means, storing them securely, and periodically changing them.

This is just the beginning, though. A merchant must also make sure to destroy old keys, prevent the unauthorized substitution of keys, replace any keys that are known to be, or even suspected to be compromised, and revoke any old or invalid keys.

All in all, making sure you have proper credit card data encryption can be a time consuming, resource intensive process. And this is all just to encrypt the information stored on your site. We still have the separate problem of encrypting information that is in transit to deal with.

The fourth requirement of the PCI DSS states that you must encrypt transmission of cardholder data across open, public networks. An open network subject to PCI requirements include the Internet, WiFi, global systems of mobile communications, and general packet radio service.

The reason here is also simple. If a criminal cannot get at the records on your system, they may try to intercept any transmission you send. That is why credit card data encryption is just as important in this stage as it is for information on your system.

According to the fourth requirement, in order to fight criminals who might try to intercept, modify, or divert sensitive information, a merchant must use strong cryptographic and security protocols such as SSL (secure sockets layer)/TLS (transport layer security) and IPSEC (Internet protocol security). Transmitting data over wireless networks must also be guarded using WPA or WPA2 technology, IPSEC, VPN, or SSL/TLS. It also warns that you should not rely exclusively on WEP (wired equivalent privacy) to protect your system.

Many merchants have found that proper credit card data encryption is one of the most difficult aspects of the PCI DSS for compliance. As such, many of them are turning to other companies for help and outsourcing their PCI compliance and payment processing needs. This way they can entrust their encryption needs to companies that specialize in it.

But whether outsourced or done in-house, credit card data encryption is about more than just protecting your business. It's about protecting your relationship with your customers. If you want to succeed, your customers have to know that they can trust you.