PCI Data Security Compliance

PCI Data Security Compliance

The Payment card industry (PCI) Security Standards Council provide specific recommendations on the use of encryption to protect credit and financial account information. Coalfire, an independent IT audit group found that CipherCloud encryption and tokenization capabilities adhere to PCI-DSS requirements.

Protection Required:

  • Ensuring that clear-text account data is never accessible
  • Rendering primary account numbers (PAN) unreadable via encryption, tokenization or other forms of obfuscation
  • Securing encryption keys from misuse and establish separation of admin duties and key control

Acceptable methods rendering data unreadable are defined as:

  • One-way hash functions based on strong cryptography, that displays only index data pointing to records in the database where sensitive data actually resides.
  • Truncation – removing a critical segment of field data, such as showing only the last four digits.
  • Index tokens and securely stored pads – encryption algorithms that combine sensitive plaintext data with a random key or “pad” that works only once.
  • Strong cryptography – with associated key management processes and procedures. (Refer to the PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms for the full definition of “strong cryptography.”)

Breach Notification Requirements and Exemptions

Public notification is required in most countries for breaches of PCI-DSS. Yet, encryption is viewed as a “critical component” and if it has been adequately applied, there are exemptions from breach notification requirements.

Hosting info image

CipherCloud Helps PCI Compliance with:

  • Strong encryption and tokenization for cloud data, meeting GDPR standards for data protection
  • Encryption keys controlled exclusively by customers, meeting “pseudonymization” requirements
  • Exemption from breach notification requirements by effectively anonymizing data
  • Technology specifically called for to meet Privacy by Design and Default principals
  • Dramatic reduction in audit scope by removing data exposure to cloud providers

 

See How CipherCloud Can Help Secure Your Data In The Cloud