Thales Blog

Are You Storing Customer Data Properly?

September 1, 2009

With data security cases rising in number and severity, the various industries affected are pulling together in an attempt to reduce the risk of fraud. The Payment Card Industry Data Security Standard (PCI DSS), which aims to crack down on fraud associated with credit and debit cards, is one such example of this cooperation. However, the implementation of PCI DSS is not without its challenges and these must be overcome if the standard is to be used as an effective weapon in the fight against card fraud.

PCI DSS aims to prevent any information that could be used to make a counterfeit card or a fraudulent online transaction from falling into the wrong hands. The standard applies to every acquiring bank, merchant and third party that accepts or processes payment cards. It is now mandatory for businesses with over 100,000 transactions a year to either be PCI DSS compliant or be able to demonstrate plans to become so. However, there is one element of the standard which is proving to be a particular stumbling block – requirement 3: protecting the stored cardholder data. In fact, 79 per cent of PCI DSS audit failures are due to companies not implementing requirement 3 properly.

Retailers have to store customer data, for example in order to be able to refund payments. However, in doing so, they must also keep this data secure. While there are various PCI DSS approved techniques for achieving this, strong cryptography is the most sophisticated and successful approach for protecting stored cardholder data, ensuring that the information remains safe even if the other layers are breached. Encryption also allows data to be stored for as long as necessary and as flexibly as possible.

With strong cryptography a secret ‘key’ value is used in an encryption algorithm to protect the cardholder data. As long as this ‘key’ remains secret, the encrypted data is safe. Consequently, the best way to store the secret ‘key’ is to use a cryptographic Hardware Security Module (HSM) that performs all of the encryption and decryption of data and never allows users or applications to see the key. The improved security resulting from this approach is a considerable benefit not only in demonstrating compliance with the PCI DSS but also in mitigating risk for an organisation, and avoiding fines and penalties associated with non-compliance.

Compliance with PCI DSS may be perceived by the industry as another regulatory burden that they could do without, particularly when it comes to implementing the more challenging requirements such as protecting stored cardholder data. However, as fraudsters become increasingly sophisticated and data breaches among retailers continue to regularly make the headlines, PCI DSS compliance should be viewed as an opportunity to review security processes and ensure that it is not your company name hitting the headlines in tomorrow’s newspapers.