PCI DSS and storage of credit card data
The PCI (Payment Card Industry) Data Security Standard is all-encompassing, setting a standard for security and protective measures for merchants who store credit card information. Created by the credit card industry, the standard sets forth a set of core standards. From a security perspective, the standards are basic best practices. Non-compliance, besides resulting in security vulnerabilities, could get your company on the wrong side of the credit card industry--and if you're a merchant, that's dangerous business.
Storage, backup, and archiving of credit card data is a sensitive matter that requires careful attention. Privacy must receive high priority. Besides PCI DSS, there are a host of other regulations governing privacy of consumer credit data.
There are a set of 12 requirements set forth in the standard, but requirements 3 and 4 stand out in terms of data storage and protection: "Protect stored cardholder data", and "encrypt transmission of cardholder data across open, public networks." Not all merchants even store cardholder data, and in general, it should not be stored at all unless the data is necessary for business. If you do store cardholder data, there are a couple things to be aware of. First, strong cryptography is essential. Layered security is recommended to keep down risk. Further, if you have any third party partners who process your customers' payments, they too, must be fully compliant with PCI DSS. Authentication and authorization should be rigorous, and clearly defined; and simple password protection is inadequate. Rendering the account number unreadable can be done through one-way hash functions, truncation, index tokens (one-time only access numbers), or strong cryptography.
The credit card companies are quite serious about their requirements, and most recently, MasterCard started requiring all businesses doing between one million and six milion transactions a year to undergo an onsite review of security controls by a third party auditor.
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
Esther Schindler
If the comments are ugly, the code is ugly
claird
SVG a graphics format for 21st century
pasmith
Take Chrome OS for a test spin
Sandra Henry-Stocker
Solaris Tip: Have Your Files Changed Since Installation?
jfruh
Android fragments vs. the iPhone monolith
mikelgan
What Gizmodo missed about the Pro WX Wireless USB disk drive
Sidekick: The Good News & the Bad News
Either way you look at it Microsoft Data Center management did not follow standards or best practices in this failure. In which case it makes me wonder more about the outsourcing of corporate data much less personal data.
- mburton325
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
This is very true - storage of cards is a big issue
Having just completed a PCI audit I speak from experience when i say storage of cards is a considerable and largely ignored problem.Our eyes were opened when we started using tools to search for stored cards. The findings identified were certainly a surprise. After our experience I would suggest that most organisations out there probably have card storage occuring without their knowledge. The main findings were on Employee desktops and within email inbox/sent items.
The tool we used was called Card Recon from Ground Labs. We found it very useful and would recommend it to anyone having to comply with PCI DSS. It can be downloaded from http://www.groundlabs.com
Alternatively if you have developers in house you may consider writing scripts that search for number strings confirming to the Mod10 algorithm.
replica bags
Women like jewelry replica bags as men like cars ,yet ,they are more crazy .They also like cloths ,but don't as much as replica handbags .Jewelry give more confident to them ,that why jewelry industries are so lucrative .