June 23, 2009, 5:06 PM — The PCI (Payment Card Industry) Data Security Standard is all-encompassing, setting a standard for security and protective measures for merchants who store credit card information. Created by the credit card industry, the standard sets forth a set of core standards. From a security perspective, the standards are basic best practices. Non-compliance, besides resulting in security vulnerabilities, could get your company on the wrong side of the credit card industry--and if you're a merchant, that's dangerous business.
Storage, backup, and archiving of credit card data is a sensitive matter that requires careful attention. Privacy must receive high priority. Besides PCI DSS, there are a host of other regulations governing privacy of consumer credit data.
There are a set of 12 requirements set forth in the standard, but requirements 3 and 4 stand out in terms of data storage and protection: "Protect stored cardholder data", and "encrypt transmission of cardholder data across open, public networks." Not all merchants even store cardholder data, and in general, it should not be stored at all unless the data is necessary for business. If you do store cardholder data, there are a couple things to be aware of. First, strong cryptography is essential. Layered security is recommended to keep down risk. Further, if you have any third party partners who process your customers' payments, they too, must be fully compliant with PCI DSS. Authentication and authorization should be rigorous, and clearly defined; and simple password protection is inadequate. Rendering the account number unreadable can be done through one-way hash functions, truncation, index tokens (one-time only access numbers), or strong cryptography.
The credit card companies are quite serious about their requirements, and most recently, MasterCard started requiring all businesses doing between one million and six milion transactions a year to undergo an onsite review of security controls by a third party auditor.