Credit Card Data Encryption: Getting Started

Credit Card Data Encryption: Getting Started

by Andy Eliason

Credit card data encryption is one of the basics of PCI DSS compliance. In recent years more and more attention has been directed at the need for increased data security. The general gist of the PCI DSS seems to indicate that merchants should only keep the bare minimum of data on their system In other words, only the information specifically required for business, legal, or other such needs should be kept on an internal system. And all that information must be encrypted.
And yet studies have shown that many companies are failing to implement proper credit card data encryption measures. Why is this?

It could be due to the costs and confusion associated with credit card data encryption. Proper encryption can require greater resources than normal, including processing, bandwidth, and personnel resources. When companies start calculating the costs associated with these new security measures, many of them seem to think it's worth a little risk in order to save the money and resources.

After all, they might say, sure some companies have been targeted and breached. But really, do that many companies have a problem. Surely, out of all the companies in the world, a hacker wouldn't target me.

The unfortunate truth, however, is that hackers will, in fact, target anyone. And while many businesses have trouble spending resources to fend off a possible problem, that is exactly what the PCI DSS requires you to do.

Requirement three of the PCI DSS requires you to "Protect stored cardholder data." Credit card data encryption is critical to this requirement. The idea here is that anyone who happens to bypass any or all of your other security measures will find only a series of illegible gibberish. The only way a criminal can make use of these numbers is if they get a hold of the encryption keys as well.

This brings us to another part of proper credit card data encryption: proper storage and care of encryption keys. Many of the requirements here mirror those of regular data security. For example, a merchant must restrict access to the keys to the fewest number of people possible, and they must be stored in as few places as possible. There are also requirements to make sure a merchant uses the best keys they can. A merchant must generate strong keys, securely store and transmit them, and also periodically change their encryption keys and properly dispose of old ones.

Many companies these days are choosing to outsource their data security needs. Companies that specialize in credit card data encryption can implement all the proper security measures around sensitive data and encryptions keys. By outsourcing these procedures your company can continue to run as normal with minimal interruptions.

This is a convenient solution for many businesses, but there is another requirement that needs to be accounted for. The fourth requirement of the PCI DSS mandates that you "Encrypt transmission of cardholder data across open, public networks." The reasoning is simple. If a hacker cannot gain access to sensitive information on your system, they can try to intercept it in transit. Hackers can modify, delete, or divert this information and cause a lot of trouble.

Credit card data encryption, then, is required at both endpoints and in transmission. Anything less makes you a target for people with questionable motives.

As technology continues to grow, and credit card transactions continue to increase, stronger and stronger security measures are going to be required to keep information safe. And as consumers grow more weary of the risks involved with credit card transactions, these security precautions will determine whether a business can, in fact, stay in business. Consumers need to know they can trust you. And the time will come when credit card data encryption will be one of the standards they use to measure your worth.

The Necessity Of Credit Card Data Encryption

The Necessity Of Credit Card Data Encryption

by Andy Eliason

The Payment Card Industry Data Security Standard (PCI DSS) mandates that anyone who stores, processes, or transmits sensitive credit card data must be PCI compliant. In other words, they must conform to a set of standardized security measures.

Credit card data encryption is one of the most essential parts of reaching PCI compliance. Unfortunately, it can also be one of the more difficult procedures to implement since many companies don't understand exactly what credit card data encryption entails, and exactly what measures are considered sufficient.

The third requirement of the PCI DSS states simply: Protect cardholder data. This is a fairly broad requirement, but credit card data encryption is still a critical part of it. The main reason for this rests on the fact that no matter what kind of other security measures you've put up to block intrusions, chances are there's a criminal out there who can find that utterly obscure and inconceivable hole in which to get through.

If your information is properly encrypted, however, all they will find is a string of useless gibberish that will mean nothing to them.

Unless, of course, they've managed to get a hold of your encryption keys.

For that reason, the third requirement of the PCI DSS also deals with the proper ways to store and handle encryption keys. A merchant must protect those keys against disclosure and misuse, which implies a variety of practices that need to be used. These include: restricting access to the keys to as few people as possible and storing the keys in as few places as possible.

You are also required to fully document all key management processes and procedures for keys used for credit card data encryption. This includes a range of practices including: generating strong keys, distributing them through secure means, storing them securely, and periodically changing them.

This is just the beginning, though. A merchant must also make sure to destroy old keys, prevent the unauthorized substitution of keys, replace any keys that are known to be, or even suspected to be compromised, and revoke any old or invalid keys.

All in all, making sure you have proper credit card data encryption can be a time consuming, resource intensive process. And this is all just to encrypt the information stored on your site. We still have the separate problem of encrypting information that is in transit to deal with.

The fourth requirement of the PCI DSS states that you must encrypt transmission of cardholder data across open, public networks. An open network subject to PCI requirements include the Internet, WiFi, global systems of mobile communications, and general packet radio service.

The reason here is also simple. If a criminal cannot get at the records on your system, they may try to intercept any transmission you send. That is why credit card data encryption is just as important in this stage as it is for information on your system.

According to the fourth requirement, in order to fight criminals who might try to intercept, modify, or divert sensitive information, a merchant must use strong cryptographic and security protocols such as SSL (secure sockets layer)/TLS (transport layer security) and IPSEC (Internet protocol security). Transmitting data over wireless networks must also be guarded using WPA or WPA2 technology, IPSEC, VPN, or SSL/TLS. It also warns that you should not rely exclusively on WEP (wired equivalent privacy) to protect your system.

Many merchants have found that proper credit card data encryption is one of the most difficult aspects of the PCI DSS for compliance. As such, many of them are turning to other companies for help and outsourcing their PCI compliance and payment processing needs. This way they can entrust their encryption needs to companies that specialize in it.

But whether outsourced or done in-house, credit card data encryption is about more than just protecting your business. It's about protecting your relationship with your customers. If you want to succeed, your customers have to know that they can trust you.