PCI Standard:
PCI Requirement 3: The Biggest Obstacle to Compliance
With the advent of the Payment Card Industry Data Security Standard (PCI DSS), encrypting stored credit card numbers is no longer optional. Any company that stores, processes, or transmits credit card information—regardless of size or volume of transactions—must encrypt stored credit card data or face serious consequences for non-compliance, including fines of up to $500,000, the loss of brand integrity, and erosion of market value.
While the PCI standard offers broad guidance—featuring rules on the proper use of firewalls, computer access controls, antivirus software, and more—it is the encryption requirements that are proving to be among the most difficult for organizations to address. According to a study conducted by Verisign Global Security Consulting Services, failure to address the data encryption requirements found in section 3 of PCI is the most common reason for failing a PCI audit:
“ Companies were most frequently non-compliant with Requirement 3 of the PCI Data Security Standard; 79 percent of the failed assessments did not meet the requirement to protect stored data (that is, they did not encrypt data).” — Lessons Learned: Top Reasons for PCI Audit Failure and How to Avoid Them, Verisign Global Security Consulting Services.
What does requirement 3 say, and why is it so challenging?
Titled “Protect Stored Cardholder Data”, this requirement focuses on all the aspects essential to ensuring that stored payment data remains safe. This requirement applies to essentially any place card holder data is stored, including applications, databases, backup tapes, and portable digital media.
Requirement 3 includes these mandates:
- Minimize the amount of credit card information stored.
- Encrypt credit card data that remains stored.
- Protect encryption keys against both disclosure and misuse.
- Implement sound key management processes.
- Rotate encryption keys annually.
The Challenges of Encryption
While most security professionals recognize the merits of encrypting credit card data, they often struggle with three common challenges:
- Cost of encryption. The problem for most organizations, especially those with credit card data stored in multiple systems across an enterprise, is the cost of encryption, both in terms of up-front costs and in terms of ongoing maintenance. In fact, Gartner estimates the cost of encrypting 100,000 accounts to be $600,000.
- Application integration and availability. Integrating encryption in enterprise applications such as SAP poses significant challenges. For example, encryption mechanisms from SAP offer only basic functionality, and many third party encryption and key management solutions do not integrate well, if at all, with SAP. Legacy applications are equally challenging as most will have no encryption or key management functionality, necessitating significant modifications to comply with PCI. Finally, the requirement for periodic key rotation typically entails application downtime and consumes extensive system resources, stretching the performance limits of many application infrastructures.
- Key management. Often, it is only after an initial encryption deployment that administrators realize how much ongoing effort is required for key management. PCI rules include the need to establish dual control of keys, prevent unauthorized substitution of keys, revoke old or invalid keys, and rotate keys on a routine basis. Establishing and maintaining all these processes can require a tremendous amount of time and resources on an ongoing basis.
The Mandate: Keep Cardholder Data Storage to a Minimum
The three challenges presented in the prior section are significant. For those organizations that have payment data in multiple, disparate systems these challenges grow exponentially more imposing.
Rule 3.1 of the PCI standard advises that organizations, “Keep cardholder data storage to a minimum.” To do so, organizations must first identify precisely where all payment data is stored. While this may seem simple, for many large enterprises it is anything but. In fact, for a large enterprise the data discovery process can take months of staff time to complete.
Second, security administrators must determine where to keep payment data and where it shouldn’t be kept. It’s pretty obvious that the fewer repositories housing credit card information, the fewer points of exposure and the lower the cost of encryption and PCI initiatives. Before security administrators dedicate the time and money to encrypting data, management should be absolutely sure whether that data needs to be retained at all, and if not, take steps to remove it immediately.
