To store or not to store? That is the multimillion-dollar (fine) question.
This week’s blog tackles the question of storing cardholder data and why the Payment Card
Industry Data Security Standard (PCI DSS) is so beneficial. Fundamentally, it is very clear
on this topic – if you don’t need it, don’t store it. Furthermore, if you do need it, make sure
that you know everywhere it is stored and that you implement appropriate security measures
to protect it.
us just how important it is to understand the do’s and don’ts of cardholder data storage. As it
has been reported, customers’ PIN numbers were stored accidentally in plain text form in log
files. These log files were accessible by the bank’s engineers, despite access to this information
not being a requirement of the role. Allegedly, one-fifth of the bank’s customers were advised
to change their PIN number at an automatic teller machine (ATM).
Requirement 3 of the PCI DSS concentrates on protecting stored cardholder data, while the intent of requirement 7 is to restrict
access to cardholder data based on business ‘need to know’. Had these 2 requirements been adequately implemented, along with
the other 10 PCI DSS requirements, this incident could have been avoided.
It is imperative for any organisation that stores transmits and/or processes cardholder data to understand what data elements PCI
DSS allows it to store and what measures it must take to protect that data. The organisation needs to know where cardholder data
flows through it for all transaction processes. Without knowing the type of data and its journey through various systems, it is nearly
impossible to implement an adequate strategy to protect it. The use of strong cryptography is required to render stored cardholder
data unreadable and other layered security technologies are required to minimise the risk of being exploited by malicious actors.
The following is an excerpt from the Payment Card Industry Security Standard Council (PCI SSC), providing guidance on protecting
stored cardholder data.
Technical Guidelines for Protecting Stored Cardholder Data
At a minimum, PCI DSS requires the primary account number to be rendered unreadable anywhere it is stored, including portable
digital media, backup media and in logs. Software solutions for this requirement could include one of the following:
One-way hash functions based on strong cryptography – also known as tokenisation, which displays only token data that represents
the sensitive data.
Truncation – removing a data segment, e.g. only the last four digits being visible.
Index tokens and securely stored pads – encryption algorithm that combines sensitive plain text data with a random key or ‘pad which
works only once.
Strong cryptography – with associated key management processes and procedures. Refer to the PCI DSS and PA-DSS Glossary of Terms,
Abbreviations and Acronyms for the definition of ‘strong cryptography’.
PCI DSS compliance is enforced by the major payment card brands which established the PCI DSS and the PCI Security Standards Council;
American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. As such, it covers any and all c
ardholder data from cards issued by or branded by these organisations. The Standard is very clear on the subject of ‘to store or not to store’
and all organisations that store, transmit and/or process cardholder data must comply with it. Examples such as Monzo underline why it
is so necessary.
If you need help in interpreting the PCI DSS, understanding whether and how it is relevant to you, or how to comply most effectively, then please contact URM >>>>>