PCI
The Payment Card Industry Data Security Standard (PCI DSS) is a worldwide information security standard created to protect customer account data from unauthorized access and misuse. To meet the PCI security specification for credit card storage, the following objectives must be met:
- Protect the credit card number, expiration date, service code and card holder’s name from logical or physical access
- Use access controls to provide separation of duties between administrators and users who access credit card numbers
- Securely store encryption keys, protecting them from exposure, unwanted replacement or misuse, and establish procedures to provide ‘dual control’ over key management
- Log access and administration of key management and PAN data storage systems
- Document your process and protection measures
Highlights
While PCI DSS serves more as general guidance than an operational checklist, it requires organizations to render stored Primary Account Numbers (i.e. credit card numbers) unreadable. You can hash, truncate, tokenize, or employ other forms of irreversible obfuscation, but it’s likely that you will need to keep the original data and occasionally access it for payment remediation or auto-payment. Thus encryption or tokenization is usually the answer, and even when you use tokenization you still need to encrypt the original PAN data in the secure token database.
In case of encryption, the solution must provide several other key management features to comply with PCI:
- Split Knowledge: To provide administrative separation of duties, two or more persons must separately have key components which individually convey no knowledge of the resultant key.
- Re-Keying/Key Rotation: This is a method for swapping keys in case a key might be compromised. If a key is no longer trusted, all associated data should be re-encrypted. The PCI specification recommends key rotation once a year.
- Key Identification: There are two considerations here. If keys are rotated, the key management system must have some method to identify which key was used. Further, PCI requires that key management systems detect key substitutions.
PCI-DSS’ Impact on Cloud Computing
PCI DSS addresses cloud computing as an instance of "shared hosting", and specifies that providers must segregate cardholder data environments, enforce access control, and support logging, audit trails, and forensic investigations. In reality, lack of granular encryption controls, key management, and auditing controls in most cloud applications make it challenging to comply with PCI DSS requirements.
Why CipherCloud
As a pioneer in cloud data protection, CipherCloud provides various highly secure AES-based encryption and tokenization options to replace sensitive information with anonymous values that respect formatting, and preserve all native features and functionality of compatible cloud solutions, such as searching, sorting, and reporting. Customers retain full control of data and encryption keys within their enterprise network. Additional key characteristics of CipherCloud include:
- Centralized logging and auditing of user activities in the cloud
- Rapid configuration and deployment
- Stateless and high-performance architecture
- Subscription based pricing that eliminates up-front capital expenditure
Conclusion
Payment-card fraud predates electronic banking and commerce, but the sophistication and reach of today's attacks surpasses anything yet seen. For each instance of non-compliance with PCI DSS, various penalties are levied on merchants and service providers, which can include:
- Suspension of credit card transaction processing abilities
- Loss of reputation and customer trust
By implementing CipherCloud, you can reap the benefits of migrating applications containing credit card information to the cloud, such as reduced cost, faster deployment, agility, and scalability, while ensuring compliance with PCI DSS.