Credit Card Data Encryption: Getting Started

Credit Card Data Encryption: Getting Started

by Andy Eliason

Credit card data encryption is one of the basics of PCI DSS compliance. In recent years more and more attention has been directed at the need for increased data security. The general gist of the PCI DSS seems to indicate that merchants should only keep the bare minimum of data on their system In other words, only the information specifically required for business, legal, or other such needs should be kept on an internal system. And all that information must be encrypted.
And yet studies have shown that many companies are failing to implement proper credit card data encryption measures. Why is this?

It could be due to the costs and confusion associated with credit card data encryption. Proper encryption can require greater resources than normal, including processing, bandwidth, and personnel resources. When companies start calculating the costs associated with these new security measures, many of them seem to think it's worth a little risk in order to save the money and resources.

After all, they might say, sure some companies have been targeted and breached. But really, do that many companies have a problem. Surely, out of all the companies in the world, a hacker wouldn't target me.

The unfortunate truth, however, is that hackers will, in fact, target anyone. And while many businesses have trouble spending resources to fend off a possible problem, that is exactly what the PCI DSS requires you to do.

Requirement three of the PCI DSS requires you to "Protect stored cardholder data." Credit card data encryption is critical to this requirement. The idea here is that anyone who happens to bypass any or all of your other security measures will find only a series of illegible gibberish. The only way a criminal can make use of these numbers is if they get a hold of the encryption keys as well.

This brings us to another part of proper credit card data encryption: proper storage and care of encryption keys. Many of the requirements here mirror those of regular data security. For example, a merchant must restrict access to the keys to the fewest number of people possible, and they must be stored in as few places as possible. There are also requirements to make sure a merchant uses the best keys they can. A merchant must generate strong keys, securely store and transmit them, and also periodically change their encryption keys and properly dispose of old ones.

Many companies these days are choosing to outsource their data security needs. Companies that specialize in credit card data encryption can implement all the proper security measures around sensitive data and encryptions keys. By outsourcing these procedures your company can continue to run as normal with minimal interruptions.

This is a convenient solution for many businesses, but there is another requirement that needs to be accounted for. The fourth requirement of the PCI DSS mandates that you "Encrypt transmission of cardholder data across open, public networks." The reasoning is simple. If a hacker cannot gain access to sensitive information on your system, they can try to intercept it in transit. Hackers can modify, delete, or divert this information and cause a lot of trouble.

Credit card data encryption, then, is required at both endpoints and in transmission. Anything less makes you a target for people with questionable motives.

As technology continues to grow, and credit card transactions continue to increase, stronger and stronger security measures are going to be required to keep information safe. And as consumers grow more weary of the risks involved with credit card transactions, these security precautions will determine whether a business can, in fact, stay in business. Consumers need to know they can trust you. And the time will come when credit card data encryption will be one of the standards they use to measure your worth.