Minimizing the Burden of PCI Compliance: A New Approach to Credit Card Encryption

Innovative Payment Card Solutions
Minimize the Burden of
PCI Section 3:
A New Approach to Credit Card Encryption
© 2007 Paymetric, Inc. All rights reserved.Minimize the Burden of PCI Section 3:
A New Approach to Credit Card Encryption
Contents Encryption represents one of the
Introduction .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 most important mandates for PCI PCI Requirement 3: The Biggest Obstacle to Compliance 4 compliance-and it also represents .. . . . . . . . . . .
The Challenges of Encryption .. . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 one of the most difficult require-
The Mandate: Keep Cardholder Data ments to implement successfully Storage to a Minimum .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
A New Approach and cost effectively. This paper
to Encryption Management .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 describes a new approach to manag-An Introduction to XiSecure .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 ing encrypted data that significantly Conclusion .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 strengthens an organization's security
posture, while minimizing the cost
and effort of PCI compliance.
© 2007 Paymetric, Inc. All rights reserved. .Minimize the Burden of PCI Section 3: A New Approach to Credit Card Encryption
PCI Requirement 3: The Biggest Obstacle
to Compliance
With the advent of the Payment Card Industry Data Security Standard (PCI DSS), encrypting stored credit card numbers "Companies were most frequently is no longer optional. Any company that stores, processes, or non-compliant with Requirement transmits credit card information-regardless of size or volume of transactions-must encrypt stored credit card data or face 3 of the PCI Data Security serious consequences for non-compliance, including fines of Standard; 79 percent of the up to $500,000, the loss of brand integrity, and erosion of failed assessments did not market value. meet the requirement to protect While the PCI standard offers broad guidance-featuring rules stored data (that is, they did not on the proper use of firewalls, computer access controls, anti-virus software, and more-it is the encryption requirements encrypt data)." that are proving to be among the most difficult for organiza-tions to address. According to a study conducted by Verisign Global Security Consulting Services, failure to address the data encryption requirements found in section 3 of PCI is the most common reason for failing a PCI audit:
"Companies were most frequently non-compliant with Requirement 3 of the PCI Data Security Standard; 79 percent of the failed assessments did not meet the requirement to protect stored data (that is, they did not encrypt data)." - Lessons Learned: Top Reasons for PCI Audit Failure and How to Avoid Them, Selected Section 3 Requirements Verisign Global Security Consulting Services. that Centralization and Tokenization
What does requirement 3 say, and why is it so challenging? Helps Address
Titled "Protect Stored Cardholder Data", this requirement Rule Requirementfocuses on all the aspects essential to ensuring that stored 3.0 Encryption is a critical component of cardhold-payment data remains safe. This requirement applies to er data protection.essentially any place card holder data is stored, including appli- 3.1 Keep cardholder data storage to a minimum.cations, databases, backup tapes, and portable digital media. 3.4 Render account number unreadable through.Requirement 3 includes these mandates: strong cryptography and associated key man-agement. Minimize the amount of credit card information stored. 3.5 Restrict access to keys to the fewest number of custodians necessary. Encrypt credit card data that remains stored. 3.5.2 Store keys securely in the fewest possible loca-. P rotect encryption keys against both disclosure and misuse. tions and forms
. Implement sound key management processes. 3.6 Fully document and implement all key manage-ment processes and procedures for keys used . R otate encryption keys annual... [download for more]