More and more consumers are becoming weary of giving out their personal information. And justifiably so. The lessons people learned from letting scammers get a hold of their data were quick and painful. But recently consumers have started questioning the safety of using credit cards even with long established merchants.
A lot of this hesitations stems from the recent stories about serious security breaches at large, national companies. If these companies aren't safe, a consumer might think, then who is?
For this reason the Payment Card Industry instituted the PCI DSS. They knew that if consumers continued to lose confidence in the industry, they could be in a lot of trouble. PCI compliance, then, is required of any merchant who collects, stores, processes, or transmits credit card data. Originally each of the major credit card companies had their own requirements for data security, but they soon realized that a single standard for PCI compliance was likely in everyone's best interests.
The third requirement for PCI compliance says simply: "Protect stored cardholder data." At first glance this seems an overly broad and simplistic requirement. On further inspection, though, it is one of the most important requirements of the PCI DSS, and the individual security controls that make it up are very specific and deserve a lot of attention.
Data encryption is essential to this requirement. There are any number of security measures that should be in place on your system, but unfortunately nothing is perfect. And if a hacker should happen to bypass those measures, proper encryption ensures that they will only find long strings of random gibberish.
The third requirement for PCI compliance also stipulates that a merchant should keep data storage to a minimum. A data retention and disposal policy should be strictly maintained. This is because any data that is held beyond legitimate business or legal need creates an unnecessary risk, and makes you a target for many hackers.
PCI compliance also means that you do not store certain authentication details at all. Even encrypted, these details must not be stored after authorization. This includes PIN numbers and card validation codes. The full content of any track on the magnetic strip is also prohibited. All of these things in the hands of a criminal would give them the ability to reproduce or sell valid credit card accounts. Just don't do it.
The PAN must also be sufficiently masked. This means that only certain digits can ever be displayed on receipts, faxes, or other places where unauthorized people can see them. The PAN should be rendered unreadable wherever it is stored. There are a number of requirements dealing with this aspect because there is a range of uses for them, and individuals who may or may not need access to it. It is vitally important to maintain security around this data.
Protection of data through encryption is vital, but so is the protection of encryption keys. Encryption keys are an important part of PCI compliance because if a criminal should happen to get a hold of them, he or she could view all of your sensitive data.
There should be very few people who have access to those keys, and they should be stored in as few places as possible.
Encryption keys are so crucial that you must fully document and implement all key management processes and procedures for keys used for encryption of cardholder data. This includes: generating strong keys, securely distributing and storing keys, changing them periodically, and destroying the old ones.
The effort you put toward protecting encryption keys should be the same as you put toward securing any other sensitive data.
While this is only the third step toward PCI compliance, it really is one of the most important. And while some of its measures may seem complex, you will be doing what is right for your customers, and, by extension, your business.
About the author:
Andy Eliason is a writer for Main10, Inc. If you'd like to learn more about PCI compliance, or the PCI DSS, visit Braintree Payment Solutions today.
Article Source: http://www.Free-Articles-Zone.com
