@CloudExpo | PCI-DSS Encryption Requirements

Significant money is at stake and in need of protection in the Payment Card Industry (PCI). The global payment card industry covers several sectors: banks and financial institutions (acquirers), issuers, processors, service providers, merchants carrying out transactions online and via point of sale terminals in bricks and mortar stores, large and small.

PCI SecurityThe PCI Security Organizations Data Security Standard (DSS) applies to your business if you store, process or transmit cardholder data (CHD). The PCI supply chain is not an isolated entity. It needs to protect itself well beyond its own

perimeter fences. This is because business entities also need to protect the billions of people every day that key in their Personal Identity Numbers (PINs) and other personal data as they trade or carry out transactions in store or over the Internet, from fixed and mobile devices using payment cards. Increasingly, commerce takes place via mobile devices over wireless networks, with the card itself rarely being physically present at the store.

As credit and debit cards are used more and more, checks are disappearing in many economies. In a mobile, electronic, global world, the payment card industry continues to grow. In May 2014, for example, 47.1 billion was spent in the United Kingdom on cards of all types (credit and debit), a 7.5% annual growth in spending rates over May 2013, at a time where the countrys economy is a long way from recovery.

Its not surprising therefore that the payment card industry attracts people of malicious intent.

PCI-DSS Encryption RequirementsIn this reality, if your business occupies any of the nodes in the payment card supply chain, you must comply with the 12 core requirements of PCI-DSS to keep perpetrators of payment card fraud at bay. You will need to ensure you have the same levels of protection, and thus of PCI-DSS compliance, in the cloud and in your data centers. In addition, you must make sure that all third-party service providers you use are fully PCI-compliant.

Several of the 12 PCI-DSS requirements are relevant for cloud security. However, on this occasion, well single out those sections of requirement number 3, which relate specifically to the protection of stored cardholder data. As youll see below, you can comply with these requirements by using Porticors data encryption and cloud key management system.

PCI-DSS Encryption: Requirement 3Requirement 3.4, for example, states that you must make sure that Primary Account Numbers (PANs) are unreadable, wherever they are stored. Our solution ensures your compliance here thanks to strong hashing (SHA-2) and AES-256 encryption, augmented by robust encryption key management.

You must not tie decryption keys to user accounts, regardless of whether you encrypt at the disk, file- or column-level of the database, nor must you allow access to the cryptographic key by native operating systems. Your compliance is assured on both points with Porticors key management algorithm, which by default splits the key. This keeps it independent of the OS, as well as administrators and service providers in your supply chain. In other words, access is limited to very few custodians and, always acting together, rather than any one on their own, ensures your compliance with requirements 3.5.1 and 3.5.2.

Continued here:
@CloudExpo | PCI-DSS Encryption Requirements