PCI DSS Auditing and Compliance

PCI DSS compliance is required of any merchant that processes payments. Thales e-Security can help merchants with this compliance.

Data PCI

Merchants, banks, and other parties that play a role in processing credit and debit card payments must protect the privacy of account data—both to meet core business goals and to fulfill obligations under the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS defines strict compliance requirements for the processing, storage, and transmission of account data. PCI DSS compliance must be validated periodically, and failure to comply can result in fines or even the termination of the ability to process credit cards.

Thales e-Security can help organizations working with cardholder data comply with PCI DSS compliance standards.

PCI DSS
Over 200 Tests against Six Core Principles

The PCI DSS standard (www.pcisecuritystandards.org) involves assessment against over 200 tests that fall into 12 general security areas representing six core principles. These tests span a wide variety of common security practices along with technologies such as encryption, key management, and other data protection techniques.

Risks Associated with PCI DSS Auditing and Compliance
  • Failure to comply can result in fines, increased fees, or even the termination of your ability to process credit cards.
  • PCI DSS compliance cannot be considered in isolation; organizations are subject to multiple security mandates and data breach disclosure. On the other hand, PCI compliance projects can easily be sidetracked by broader security initiatives.
  • PCI DSS includes common practices that are likely to be already in place. But some aspects, specifically those associated with encryption, might be new to the organization and implementations can be disruptive, negatively impacting operational efficiency if not designed correctly.
  • Opportunities exist to reduce the scope of PCI DSS obligations and therefore reduce cost and impact; however, organizations can waste time and money, if they do not exercise care to ensure that new systems and processes will in fact be accepted as compliant.
An Integrated Compliance Solution

Drawing on decades of experience helping banks and financial institutions comply with industry mandates, Thales e-Security offers integrated products and services that enable you to protect stored cardholder data, encrypt it for transfer, and restrict access on a need to know basis. In addition, Thales works closely with partners to offer comprehensive solutions that can reduce the scope of your compliance burden.

Addressing the Six Core Principles of PCI DSS

Thales e-Security offers comprehensive solutions that help organizations address the six core principles of PCI DSS:

  • Protect cardholder data. Compliance requires the encryption of cardholder data flowing over public networks and the protection of stored cardholder data. This begins at the transaction. Thales e-Security nShield and payShield HSMs work with leading mobile device payment acceptance (mPOS) solutions as well as leading payments data protection solutions to protect cardholder data and help ensure PCI DSS compliance. Merchant organizations also need to deploy network encryption and SSL/TLS encryption for protecting data in transit and technologies such as Vormetric Transparent Encryption for storage and database encryption, Vormetric Application Encryption, Vormetric Tokenization with Dynamic Masking, and ‘point-to-point’ encryption to protect data at rest and reduce scope.
  • Implement strong access control measures. All data protection techniques go hand in hand with access controls. Cryptographic technologies such as PKI and digital certificates are widely used to go beyond password-grade security for authenticating users and systems. Furthermore, using the Vormetric Data Security Manager and Vormetric Encryption Key Management to control access to data decryption keys so as to unlock encrypted data only on a “need to know” basis provides a powerful additional layer of security.
  • Build and maintain a secure network. In addition to network level encryption, an important component of network security is the strong authentication of network devices; digital credentials are increasingly employed at the device level to control network access and are an important security consideration for a corporate PKI.
  • Regularly monitor and test networks. One of the challenges of an increased use of encryption is that network based monitoring can be blindsided by attacks operating under the cover of encryption. This creates the need to equip event monitoring and data loss prevention systems with the ability to safely analyze data by temporarily removing the shroud of encryption.
  • Maintain a vulnerability management program. The rise of advanced persistent attacks that attempt to corrupt business applications by injecting malware has brought the use of digital signatures and code signing into focus as a way to prove the integrity and authenticity of business systems and application software.
  • Maintain an information security policy. PCI DSS places great emphasis on establishing a clear separation of duties between staff members to minimize the risk of insider attack. The Vormetric Data Security Manager provides a powerful mechanism to enforce this separation and for creating a trusted record of events to demonstrate compliance.

Using Encryption and Access Control for PCI DSS 3.0 Compliance in AWS

Compliance and security continue to be top concerns for organizations that plan to move their environment to cloud computing. Besides that, achieving PCI compliance is not a simple task.

Download

Vormetric Data Security: Complying with PCI DSS 3.0 Encryption Rules

Learn about the Payment Card Industry Data Security Standard (PCI DSS) 3.0 compliance rules and how Vormetric Transparent Encryption helps achieve PCI DSS encryption...

Download

How Format-Preserving Encryption Tokenization Addresses PCI DSS 3.x Security Requirements, by Fortrex

Since 1997, Fortrex Technologies has served as a trusted security and risk management advisor to its clients throughout the world...

Download

Watch our interactive demo Explore
Schedule a live demo Schedule
Get in contact with a specialist Contact us