- Ensuring that clear-text account data is never accessible
- Rendering primary account numbers (PAN) unreadable via encryption, tokenization or other forms of obfuscation
- Securing encryption keys from misuse and establish separation of admin duties and key control
The Payment Card Industry Data Security Standards (PCI DSS) provide specific recommendations on the use of encryption to protect credit and financial account information. Coalfire (see Section 5: Certification and Validation), an independent IT audit group found that CipherCloud encryption and tokenization capabilities adhere to PCI DSS requirements.
- One-way hash functions based on strong cryptography, that displays only index data pointing to records in the database where sensitive data actually resides.
- Truncation – removing a critical segment of field data, such as showing only the last four digits.
- Index tokens and securely stored pads – encryption algorithms that combine sensitive plain text data with a random key or “pad” that works only once.
- Strong cryptography – with associated key management processes and procedures. (Refer to the PCI DSS and PA-DSS Glossary of Terms, Abbreviations and Acronyms for the full definition of “strong cryptography.”)
As a pioneer in cloud data protection, CipherCloud provides various highly secure AES-based encryption and tokenization options to replace sensitive information with anonymous values that respect formatting, and preserve all native features and functionality of compatible cloud solutions, such as searching, sorting, and reporting. Customers retain full control of data and encryption keys within their enterprise network. Additional key characteristics of CipherCloud include:
- Support for key rotation
- Centralized logging and auditing of user activities in the cloud
- Rapid configuration and deployment
- Stateless and high-performance architecture
- Subscription based pricing that eliminates up-front capital expenditure
Breach Notification Requirements & Exemptions
Public notification is required in most countries for breaches of PCI DSS. Yet, encryption is viewed as a “critical component” and if it has been adequately applied, there are exemptions from breach notification requirements.