Protect Cardholder Data

Requirement 3: Protect stored cardholder data #

Protecting the card holder’s information is one of the most critical tasks organizations should do. A sound data protection system is an essential part of proactive risk mitigation. PCI DSS framework lists seven requirements and related test procedures to check. Some of the requirements include the instruction to have,
1. Policies and procedures in place for data protection.
2. Details of how to protect the data.
3. Methods to display information (information masking, truncation, etc.)

• 3.1 Keeping cardholder data storage to a minimum by implementing data retention and disposal policies, procedures and processes.
• 3.2 Sensitive authentication data should not be stored after authorization even if it is encrypted.
• 3.3 PAN should be masked in such a way that only people with real business needs can view more than the first six or last four digits of the PAN.
• 3.4 It involves rendering PAN unreadable whereever it is store. It can be done using either one-way hashes or truncation or index tokens and pads or by strong cryptography with associated key-management processes and procedures.
• 3.5 Proper documentation and implementation should be done to protect keys that are used to secure stored cardholder data against disclosure.
• 3.6 Proper documentation and implemention of all key management processes and procedures for cryptographic keys that are used to encrypt of cardholder data.
• 3.7 Security policies and operational procedures for protecting stored cardholder data are well documented and known to all affected parties.

Requirement 4: Encrypt transmission of cardholder data across open, public networks #

Creating a secure way of transmitting stored information is another information framework that organizations need to comply with. Creating appropriate policies and processes to maintain specific data transmission is unavoidable.

• 4.1 Strong cryptography and security protocols have to be implemented to safeguard the sensitive cardholder data during transmission over open, public networks.
• 4.2 Unprotected PAN should never be sent by enduser messaging technologies like sms, chats, mail.
• 4.3 Security policies and operational procedures for encrypting transmissions of cardholder data should be well documented and known tp all affected parties.