Protect Cardholder Data

Requirement 3 Protect stored cardholder data

Protection methods such as encryption, truncation, masking, and hashing are critical components of cardholder data protection. If an intruder circumvents other network security controls and gains access to encrypted data, without the proper cryptographic keys, the data is unreadable and unusable to that person. Other effective methods of protecting stored data should be considered as potential risk mitigation opportunities. For example, methods for minimizing risk include not storing cardholder data unless absolutely necessary, truncating cardholder data if full PAN is not needed, and not sending PAN in unencrypted e-mails.

Please refer to the Castleforce Glossary for Terms, Abbreviations, and Acronyms for definitions of “strong cryptography” and other PCI DSS terms.

3.1 Keep cardholder data storage to a minimum. Develop a data retention and disposal policy. Limit storage amount and retention time to that which is required for business, legal, and/or regulatory purposes, as documented in the data retention policy.

3.2 Do not store sensitive authentication data after authorization (even if encrypted). Sensitive authentication data includes the data as cited in the following Requirements 3.2.1 through 3.2.3:

• 3.2.1 Do not store the full contents of any track from the magnetic stripe (located on the back of a card, contained in a chip, or elsewhere). This data is alternatively called full track, track, track 1, track 2, and magnetic-stripe data.
• 3.2.2 Do not store the card-verification code or value (three-digit or fourdigit number printed on the front or back of a payment card) used to verify card-not-present transactions
• 3.2.3 Do not store the personal identification number (PIN) or the encrypted PIN block.

3.3 Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed).

3.4 Render PAN, at minimum, unreadable anywhere it is stored (including on portable digital media, backup media, in logs) by using any of the following approaches:

1. One-way hashes based on strong cryptography
2. Truncation
3. Index tokens and pads (pads must be securely stored)
4. Strong cryptography with associated key management processes and procedures

• 3.4.1 If disk encryption is used (rather than file- or column-level database encryption), logical access must be managed independently of native operating system access control mechanisms (for example, by not using local user account databases). Decryption keys must not be tied to user accounts.

3.5 Protect cryptographic keys used for encryption of cardholder data against both disclosure and misuse:

• 3.5.1 Restrict access to cryptographic keys to the fewest number of custodians necessary
• 3.5.2 Store cryptographic keys securely in the fewest possible locations and forms

3.6 Fully document and implement all key management processes and procedures for cryptographic keys used for encryption of cardholder data, including the following:

• 3.6.1 Generation of strong cryptographic keys
• 3.6.2 Secure cryptographic key distribution
• 3.6.3 Secure cryptographic key storage
• 3.6.4 Periodic cryptographic key changes

As deemed necessary and recommended by the associated application (for example, re-keying); preferably automatically

At least annually

• 3.6.5 Retirement or replacement of old or suspected compromised cryptographic keys
• 3.6.6 Split knowledge and establishment of dual control of cryptographic keys
• 3.6.7 Prevention of unauthorized substitution of cryptographic keys
• 3.6.8 Requirement for cryptographic key custodians to sign a form stating that they understand and accept their key-custodian responsibilities

Encryption Partners

 Check Point have fully implemented the Point Sec product to their Full Disk Encryption range in order to offer security management and data protection.  FIPS-140-2 Certified

  CREDANT Technologies offers the flexibility to choose the encryption solution that best meets your data protection and compliance needs, delivering data encryption across any endpoint - desktops, laptops, handheld devices and removable media - including our patented, intelligent data encryption solutions as well as new hardware and software-based full-disk encryption offerings.  FIPS-140-2 Certified

 DES's award winning DESlock+ encryption software helps organisations and individuals to protect against all types of data breach by offering a simple, yet extremely powerful set encryption tools to protect data in transit and at rest. To meet the needs of Government and corporate bodies the DESlock+ software is certified in the UK by CESG - the UK national technical authority for information, assurance under its Claims Tested Mark (CCTM) scheme. DESlock+ also meets the rigorous FIPS-140-2 standard in the US and is validated by the National Institute of Standards and Technology (NIST). Available as DESlock Standard or DESlock PRO  

Safend Encryptor enforces an enterprise wide encryption policy to protect the data stored on laptop and desktop hard disks, so that sensitive data cannot be read by unauthorized users in the case of loss or theft. Safend Encryptor utilizes Total Data Encryption technology that automatically encrypts all data files, while avoiding unnecessary encryption of the operating system and program files. This innovative concept minimizes the risk of operating system failure, and has a negligible performance impact. Leveraging this unique encryption technology, Safend Encryptor provides transparent hard disk encryption.

IronKey Enterprise secures data with always-on hardware encryption to meet compliance and data protection requirements.  All user data on an IronKey Enterprise drive is encrypted with high-speed, AES CBC-mode encryption. IronKey Enterprise is deployed quickly using the cloud-based IronKey Enterprise Management Service. Administrators are in full control of deployed devices and if needed can remotely disable devices and wipe data. IronKey Enterprise logs device use for reporting and compliance. FIPS-140-2 Certified

PCI DSS Core Principles

The core of the PCI DSS is a group of principles and accompanying requirements, around which the specific elements of the DSS are organised:

Requirement 1: Install and maintain a firewall configuration to protect cardholder data

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters 

Requirement 4: Encrypt transmission of cardholder data across open, public networks

Requirement 5: Use and regularly update anti-virus software

Requirement 6: Develop and maintain secure systems and applications

Requirement 7: Restrict access to cardholder data by business need-to-know

Requirement 8: Assign a unique ID to each person with computer access

Requirement 9: Restrict physical access to cardholder data

Requirement 10: Track and monitor all access to network resources and cardholder data

Requirement 11: Regularly test security systems and processes

Requirement 12: Maintain a policy that addresses information security

Protect Card Holder Data

nuBridges Protect is designed to make it easier for IT to make your operations PCI DSS compliant. Here are just a few examples:

• No database or file layout changes required — encrypt a 16-digit credit card number without changing your pre-defined file layout, your application screens, your reports
• No database downtime during encryption, encryption processes run in the background, allows high availability systems to remain active

Supports two data protection methods:

1. Distributed encryption with centralized key management that does not require a persistent connection between the hub and the spokes – the optimum in performance and availability;
2. Format Preserving Tokenization™ with central data vault