Is Remote Storage Of Credit Card Data A Valid Option?
by Andy Eliason
The PCI DSS requires that anyone who stores, processes, or transmits sensitive credit card information must do everything they can to protect that information. This can be accomplished in-house, or the payment processing can be outsourced to another company. Which begs the question: Is remote storage of credit card data a valid option? How does it compare to storing data yourself?
The PCI DSS is made up of 12 requirements which can be broken down into more than 200 individual security controls. Some of these security measures can and/or must be taken care of by the merchant in-house. There are, however, a number of requirements that can conveniently be covered by remote storage of credit card data.
The third requirements of the PCI DSS requires simply that you "Protect cardholder data." On the surface that seems like a distressingly broad and generalized requirement. Luckily it has been divided up into more than 20 different controls to express exactly what is required by it.
Encryption is a big part of this requirement. If you are going to retain information on your system it must be encrypted. The problem here is that sometimes companies don't understand exactly how encryption works, or what, exactly, constitutes valid or sufficient security. And even when encryption techniques are properly implemented, there's a whole other set of requirements regarding the protection of encryption keys.
Remote storage of credit card data can help you alleviate this problem. When you store your information in a secure vault off-site, you are working with a company (or should be working with a company) that specializes in data encryption.
On top of that, the first control listed under the third requirement states that merchants should "Keep cardholder data to a minimum," and "limit storage amount and retention time to that which is required for business, legal, and/or regulatory purposes." This practically encourages a merchant to choose remote storage of credit card data because then someone else gets to deal with the required procedures here. And these people, if you've chosen the right company to partner with, can maintain sufficient security measures and keep this data out of the hands of criminals.
Other requirements of the PCI DSS can be satisfied with remote storage of credit card data. These include requirements seven, eight, and nine. Seven states that you must restrict access to cardholder data by business need-to-know. Eight requires a unique ID for anyone with computer access. And nine says that you must restrict physical access to cardholder data.
How does remote storage of credit card data help you with these requirements? Some of them are obvious. Requirements nine is simple. Physical access is completely restricted because the data is nowhere on your system. The same is applies to requirement seven. When your data is stored remotely, only very specific people will have access to the information, and, in respect to requirement number eight, they will have (or should have) an ID attached to them so activities on sensitive systems can easily be tracked.
PCI compliance can be a complex, expensive, and time consuming endeavor. As more and more consumers become weary of conducting transactions with credit cards, the PCI SSC is going to do more to ensure a safe environment that encourages consumerism. Still, many companies have opted to procrastinate implementing proper security and reaching compliance because of the complexities involved.
Remote storage of credit card data is one of the best ways to reduce those complexities and take important steps toward PCI compliance.
Above all, the most important thing to remember is that a criminal cannot steal what you don't have. Storing important data off-site means you are no longer a target for people with criminal intentions.
สมัครสมาชิก:
ส่งความคิดเห็น (Atom)
.jpg)
ไม่มีความคิดเห็น:
แสดงความคิดเห็น