Payment Card Industry Data Security Standard (PCI DSS) Auditing and Compliance

Over 200 tests against six core principles

The PCI DSS standard (www.pcisecuritystandards.org) involves assessment against over 200 tests that fall into 12 general security areas representing six core principles. These PCI DSS tests span a wide variety of common security practices along with technologies such as encryption, key management and other data protection techniques.

Risks Associated with PCI DSS Auditing and Compliance

• Failure to comply with PCI DSS compliance requirements can result in fines, increased fees or even the termination of your ability to process payment card transactions.
• Complying with the PCI DSS cannot be considered in isolation; organisations are subject to multiple security mandates and data breach disclosure laws or regulations. On the other hand, PCI compliance projects can easily be side-tracked by broader enterprise security initiatives.
• Guidance and recommendations linked to PCI DSS requirements include common practices that are likely to be already in place. However some aspects, specifically those associated with encryption, might be new to the organisation and implementations can be disruptive, negatively impacting operational efficiency if not designed correctly.
• It is all too easy to end up with a fragmented approach to security based on multiple proprietary vendor solutions and inadequate technologies that are expensive and complex to operate.
• Opportunities exist to reduce the scope of PCI DSS compliance obligations and therefore reduce cost and impact; however, organisations can waste time and money if they do not exercise care to ensure that new systems and processes will in fact be accepted as PCI DSS compliant.

An Integrated Compliance Solution

Drawing on decades of experience helping banks and financial institutions comply with industry mandates, Thales offers integrated products and services that enable your organisation to protect stored cardholder data, encrypt it for transfer and restrict access on a need-to-know basis. In addition, Thales works closely with partners to offer comprehensive solutions that can reduce the scope of your PCI DSS compliance burden.

Addressing the Core Principles of PCI DSS

Thales offers comprehensive PCI DSS compliance software solutions that help organisations address the six core principles of PCI DSS:

• Protect cardholder data at rest: Thales’ CipherTrust Manager and Luna Hardware Security Modules (HSMs) enable organisations to centrally manage encryption keys and deliver a variety of encryption, tokenisation and data masking solutions to protect cardholder data in files, folders, applications and databases in both traditional and cloud or virtualised environments.
• Encrypt cardholder data in motion: Thales High Speed Encryptors (HSE) encrypt all data that traverses open networks between point-of-sale devices and systems that process cardholder data.
• Develop and maintain secure system and applications: Thales Luna HSMs enable organisations to securely store signing material in a trusted hardware device, ensuring the authenticity and integrity of any application code files.
• Implement strong access control measures: Thales CipherTrust products can be setup for unique, multifactor administrative access to systems that store cardholder data. In addition, SafeNet Trusted Access enables you to centrally manage unique user identities, risk-based authentication policies and add/revoke access to systems in your Cardholder Data Environment (CDE).
• Track and monitor all access to cardholder data: All products in the Thales CipherTrust data protection portfolio produce audit records that log any encryption key lifecycle operations (creation/deletion/rotation/revocation) and other administrative functions that can be used to reconstruct events.