Payment Card Industry Data Security Standards
The Payment Card Industry Data Security Standard (PCI DSS) is a set of industry-mandated security requirements for credit and debit card transaction processing. PCI DSS applies to stores, online retailers, and other organizations, and covers a broad range of security topics including network configuration, data protection, internal control, and policy development.
A council composed of major credit card corporations is responsible for maintaining PCI DSS requirements. While compliance is not mandated by United States federal law, some state laws require that payment processors comply with PCI DSS or similar standards.
Any organization that processes credit or debit card transactions, or that transmits or stores any form of cardholder data, is required to comply with PCI DSS. Specific obligations can vary based on an organization’s transaction volumes. Merchants processing several million transactions per year, for example, are subject to more frequent and more rigorous compliance assessments than smaller merchants. However, all organizations must meet high standards for protection of cardholder data:
- PCI DSS Requirement 3.1 calls for organizations to purge unnecessary stored cardholder data on a quarterly basis, or more frequently.
- PCI DSS Requirement 3.2 prohibits organizations from storing authentication data such as magnetic stripe data or cardholder PINs.
- PCI DSS Requirement 3.4 states that an account number should be rendered unreadable anywhere it is stored, including on portable media, backup media, in logs, and data received from or stored by wireless networks. Acceptable forms of protection include truncation, tokenization, and strong encryption.
- Requirement 4.1 states that strong cryptography should be used to "safeguard sensitive cardholder data during transmission over open, public networks."
- Requirement 4.2 states that cardholder data should never be sent in an unencrypted email.
Organizations that fail to meet PCI DSS requirements are subject to a range of penalties including fines, increased transaction fees, and cancellation of processing privileges.
Meet PCI DSS Requirements with Smartcrypt
PKWARE’s Smartcrypt platform allows organizations to protect cardholder data with strong encryption, satisfying (and in some cases exceeding) several PCI DSS requirements.
Smartcrypt's automated workflow allows organizations to find and remediate cardholder data on servers and endpoint devices, without the need for user intervention. Smartcrypt agents scan new and modified files to determine whether they contain account numbers or other sensitive information. If a file contains senstive data, Smartcrypt can take a variety of corrective actions, based on the organization's security policies:
- Masking or redacting account numbers within files
- Deleting files containing prohibited information
- Deleting files that are no longer necessary based on the organization's data retention policy
- Moving files to quarantine locations
- Encrypting files
When encrypting files, Smartcrypt applies persistent data-level protection, using AES strong encryption (up to 256-bit) that exceeds PCI DSS requirements. Encrypted information remains unreadable by unauthorized users, even in the event of a security breach. With Smartcrypt, even the most sensitive information can be sent via open, public networks without additional layers of protection. Smartcrypt encryption meets the enhanced PCI DSS requirements for data transmission that took effect in 2016.
The integration of ZIP compression with strong security not only ensures that information is secure, but it enables portability and efficient exchange of information across all major enterprise computing platforms.
PKWARE’s innovative Smartkey technology automatically generates, synchronizes, and exchanges encryption keys according to your organization’s security policies, making the process automatic for end users. Smartkeys can be managed using Smartcrypt’s administration console and can be stored on third-party dedicated key management appliances.