Protect Card Holder Data

Requirement 3: Protect stored card holder data

The basic tenet of Requirement 3 is to make sure that all sensitive cardholder data is unreadable, no matter where it is stored-portable media, backup media, logs, or wireless networks.

As well, storing sensitive credit card data such as the full magnetic strip track data, CVV and CVV2 is prohibited under PCI DSS.

However there is an exception to this rule. In instances where some of the data elements are needed from the magnetic stripe track data, storing the accountholders name, primary account number (PAN), expiration and service code is acceptable.

At no time should a merchant or service provider store the card verification code or PIN verification data elements.

Other methods of cardholder data protection include truncating cardholder data if full PAN is not needed, and not sending PAN in an unencrypted e-mail.

See https://www.pcisecuritystandards.org/pdfs/pci_audit_procedures_v1-1.pdf 3.1--3.6 for more information.

Requirement 4: Encrypt transmission of cardholder data across open, public networks

One of the major reasons TJX Companies, Inc. suffered the massive data breach that they did was due, in part, to faulty encryption security.

TJX management believes that hackers were able to get their hands on the decryption software, rendering the network system hostage to the hackers' whims.

If TJX had had a strong encryption program, the hackers could have gained access to the encrypted data, but they would not be able to read the data without the proper cryptographic keys.

Confusion abounds concerning this requirement, however one of the most reliable encryption algorithms is AES-256.

AES is the official encryption algorithm of the U.S. government, and information encrypted with it is considered secure until the year 2030. AES offers 128, 196 and 256 key lengths, making it very secure. Data stored with AES cannot be decrypted without the key.

A QSA assessor can research and decide on the effectiveness of AES and/or other algorithms.

See https://www.pcisecuritystandards.org/pdfs/pci_audit_procedures_v1-1.pdf 4.1-4.2 for more information.

                    

Print this page

Send this page to a friend

PCI DSS: 5 Guidelines for Gaining PCI Compliance Step 1: An Introduction to PCI Compliance PCI Compliance Introduction Who Put the DSS in PCI? Step 2: Finding The PCI DSS Merchant, Service and Compliance Level Should Your Organization be Concerned about PCI Compliance? PCI DSS: The Visa CISP Program MasterCard SDA Program Defining Merchant Validation Levels Level 4 Merchant Compliance Visa PCI CAP Program Defining Service Provider Validation Levels Acquirer Responsibility Calculating Merchant Transactions PCI DSS: Visa and MasterCard Quick Reference Guide Step 3: Attaining PCI DSS Compliance-Merchant Security Audits: 12 Requirements Build and Maintain a Secure Network Protect Cardholder Data Maintain a Vulnerability Management Program Implement Strong Access Control Measures Regularly Monitor and Test Networks Step 4: Finding a PCI DSS Approved Scanning Vendor (ASV) Do You Need an ASV? Merchant and Service Provider Scanning Requirements Compliance Reporting Visa and Compliance Reporting MasterCard and Compliance Reporting Step 5: Completing the PCI DSS Self Questionnaire Completing the PCI DSS Self Questionnaire PCI Compliance Polls Are you currently PCI Compliant? Yes No Working towards compliance Why are you looking at PCI Compliance Required By Credit Card Processor Required By Bank Want to meet industry standards Looking to secure network What merchant level do you fall under for PCI Compliance? Level 1 Level 2 Level 3 Level 4 I have no idea View PCI Merchant Level Results View All PCI Compliance Poll Results EV SSL Certificate Guide Sponsored Listing: