In this tip, we explore the second major requirement of the Payment Card Industry Data Security Standard (PCI DSS) in-depth: protecting cardholder data. This section of PCI contains provisions regarding the use of effective security controls during the storage and transmission of sensitive cardholder data. While this information will help you get off to a good start, remember that there is no substitute for an in-depth reading of the entire
REDUCE CARDHOLDER DATA YOU STORE AND TRANSMIT
Before you begin a discussion in your organization about secure transmission and storage of cardholder data, you should review the business justification for each process that causes you to store or transmit this type of data. In my experience, many of these business processes are done simply because "we've always done it this way" and don't have a legitimate basis in business requirements.
Each time you reduce the amount of cardholder data you store or transmit, you also reduce the risk to your organization of a security incident involving that data and/or the magnitude of an incident should one occur.
Minimization isn't just a good idea; it's required by PCI DSS.
The first part of section three requires that you "keep cardholder data storage to a minimum." It also requires that you implement data retention policies that minimize the length of time you store this data. In addition, PCI DSS requires that you immediately discard certain extremely sensitive pieces of information after transaction authorization:
- Full contents of magnetic stripe data (other than name, account number, expiration date and service code)
- Three- or four-digit card verification code/value (often referred to as the "CVV code", "CVC code" or "security code")
- For debit cards, the PIN or encrypted PIN block
- Finally, in cases where you must display card numbers (e.g. on a receipt or order confirmation), you must mask all but the first six and last four digits of the number. This is commonly done by replacing the other digits with an asterisk or X. For example, a masked card number might appear as "4128 00XX XXXX 3703".
ENCRYPTION REQUIRED FOR STORED CARDHOLDER DATA
Once you've minimized the amount of data you keep, you must take steps to obfuscate or encrypt card numbers when you store them within your systems or transmit them across public networks. You have several options for obfuscating card numbers on storage media:
- One-way hashes made using a secure hashing algorithm (e.g. SHA-256 or SHA-512)
- Truncation/masking card numbers
- Index tokens and pads
- Strong cryptography (e.g. AES or 3DES)
Remember, this requirement applies not only to the hard drives that store data on servers, but also any portable media, backup media or logs that may contain card numbers.
You must use strong cryptography to protect sensitive cardholder data when transmitting card numbers over an "open, public network" (which includes the Internet, wireless networks and cellular data networks). The easiest way to achieve this is to use SSL or TLS in conjunction with a strong cryptographic algorithm to secure all such transmissions. Also, never use email, instant messaging or chat to transmit unencrypted card numbers. This may be glaringly obvious to security professionals, but it occurs so frequently that PCI DSS section 4.2 mentions the risk explicitly.
Finally, if you transmit cardholder data over wireless networks or have a wireless network connected to your cardholder data environment, you must use WPA encryption to protect the network. Older versions of PCI DSS allowed the use of WEP with compensating controls, but the latest version prohibits the use of new WEP implementations and requires current implementations be phased out by June 2010.
IMPLEMENT AND DOCUMENT KEY MANAGEMENT
Encryption is only as good as the security of the encryption keys. If your keys are intentionally or accidentally disclosed, it doesn't matter how strong of an encryption algorithm you've chosen. Therefore, PCI DSS requires that you limit access to cryptographic keys to the smallest number of people possible and store them securely in as few places as possible. It also requires that you implement and document a formal key management program describing the security controls in place to protect your encryption keys.
In this article, I've reviewed with you the importance of minimizing your storage and transmission of cardholder data and the value of using strong encryption to protect the data you must keep. Remember that the correct use of strong cryptographic algorithms and solid key management practices is essential to the security of cardholder data under your care and critical to your compliance with PCI DSS.
Mike Chapple, CISA, CISSP, is an IT security professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a contributor to SearchMidmarketSecurity.com, a technical editor for Information Security magazine and the author of several information security titles, including the "CISSP Prep Guide" and "Information Security Illuminated."
Send comments on this technical tip firstname.lastname@example.org.
This was first published in June 2009