Filter by Category

PCI DSS 2.0

According to a survey of 155 Qualified Security Assessors (QSAs) conducted by the Ponemon Institute, 60 percent of retailers lack the budgets to be fully compliant with the PCI DSS standards. As an example, the annual audit cost for a major retailer can be as high as $225,000.

According to the Ponemon Institute survey, restricting access to card data on a "need-to-know basis" (PCI DSS Requirement #7) is still the most important PCI DSS requirement, but also the most difficult to achieve. QSAs reported that the three most common business reasons for storing cardholder data are:

  • Handling charge-backs
  • Providing customer service
  • Processing recurring subscriptions

In order to service these customer's requirements, the credit card data must still be available for the various software applications. These industry processes require merchants to implement methods of protecting cardholders from theft.

Encryption the Best Technology

QSAs find the most significant threats to cardholder data are in merchant networks and databases. They believe firewalls, encryption for data at rest, and encryption for data in motion are the top three most effective technologies for achieving compliance.

Sixty percent of QSAs believe encryption is the best means to protect card data end-to-end. Forty-one percent of QSAs say that controlling access to encryption keys is the most difficult management task their clients face.

Getting a Handle on PCI DSS Issues

So what's the best way to both satisfy the requirements of PCI DSS and still make secured data transparent to applications? The strategy QSAs recommend is to lock down the cardholder data with technologies that:

  1. Restrict the access
  2. Encrypt the data
  3. Manage and control the encryption keys

These recommendations point to a need to make encryption and encryption-key access an integral part of the overall information system.

But too many organizations use ad hoc encryption/de-encryption utilities that slow processing, and often leave de-encrypted data in the open. In addition, without any integrated encryption key management process, there is really no security at all.  Unsecured encryption keys, just like data, can be lost, stolen, and misused. Access to those keys should be managed as an integral part of the overall security of the operating system.

The point is that the QSA's three recommendations go beyond the basic requirements of the PCI DSS standard to actually secure the credit card data at the host - and to ensure that the data isn't misused when the data is at rest or while being transferred.

Linoma Software's [now HelpSystems] data encryption suite Crypto Complete successfully addresses these QSA PCI requirements by providing data encryption and key management services that can be integrated seamlessly with IBM i (iSeries) applications.

Building on PCI DSS V2

Industry security analysts will still complain that PCI DSS needs to be a real security standard aimed at protecting card holder data, but Version 2.0 doesn't provide that value.  Consequently, we need to analyze what the QSAs are recommending, and then build on PCI DSS Version 2.0 to implement the best possible data security for our customers' credit card data.

 

Add a Comment

Allowed tags: <b><i><br>

Latest Posts


Recent 2018 Data Breaches in Healthcare (and How to Avoid Them)

November 14, 2018

Phishing attacks, malware, and employee errors. These are three of the most recent causes for healthcare data breaches in 2018, with more certainly to come. The year isn’t over yet. For anyone…


Which is Better: SFTP vs. MFT?

November 6, 2018

SFTP, or MFT: that is the question. Even though we’re not all famous poets like William Shakespeare, many IT professionals will ask this question at some point or another. Should they use an…


What You Need to Know about the California Consumer Privacy Act (CCPA)

October 30, 2018

Businesses be aware: if you’re located in California or work with customers from California, a new privacy act similar to the GDPR is coming for you. This gives you just 14 months to analyze…


The Best Cybersecurity Strategies for Banks and Financial Organizations

October 18, 2018

Banks and financial institutions, take note: though the year is almost over, no one is safe from a data breach. Industries across the board have seen 4.5 million records stolen so far in 2018—a…


What is Managed File Transfer (MFT)?

October 10, 2018

As companies recognize a need for a solution that meets their file transfer, automation, and encryption needs, the question often arises: what is managed file transfer and how is it different from my…