Protecting Cardholder Information: PCI Compliance Basics
Cardholder data refers to any information that printed, processed or transmitted during a transaction. This data may be printed, stored locally or transmitted over a network to a backup server or service provider. Organizations that accept debit and credit cards must be sure that they’re protecting this data and preventing its unauthorized use. Your PCI compliance training should cover these basics to ensure top security.
Storage Protection Requirements
Cardholder data should ever be stored unless it’s required to meet a specific business need. Any and all sensitive data on the chip and magnetic stripe must never be stored. If the organization stores the PAN, they must be rendered unreadable. It’s recommended to set limited cardholder data storage and retention time frames. This will help with legal purposes and regulatory compliance. Most data retention policies purge stored data at least every quarter. After authorization, only encrypted and specific authentication data may be securely stored.
PAN Control and Management
It’s recommended to mask the Primary Account Number (PAN) when displayed in public. Organizations may only display the first six and the last four digits. However, this does not apply to authorized staff with legitimate business reasons to see the full PAN. Point-of-sale receipts should never display the PAN and sensitive cardholder data. When PANs are stored, such as in software logs and digital backups, as well as when transmitted, such as through wireless networks, they must be rendered completely unreadable. There are business technology solutions available, such as strong cryptography, truncation and one-way hash functions.
Comprehensive Data Protection
Employees must be trained to protect the security keys used for the encryption of cardholder data from misuse and disclosure. Management must fully document, implement and update appropriate management policies and procedures for cryptographic keys that protect cardholder data. The organization must use strong cryptography and security protocols, such as SSH, IPSec and SSL/TLS, to protect cardholder data during transmission over public networks. This includes GSM, GPRS, the Internet and wireless solutions. Industry best practices for security authentication and transmission, such as IEEE 802.11i and not WEP, are recommended.
To review, cardholder data elements, such as PAN, name, service code and expiration data, may be stored under certain circumstances. Sensitive authentication data, such as the CAV2, CVC2, CVV2 and CID, cannot be stored. Interactive Services provides specialized training solutions that will ensure that your employees maintain the highest levels of cardholder data protection standards. Contact us now to start.