How Can I Protect Stored Payment Cardholder Data (PCI DSS Requirement 3)?
At the heart of the PCI DSS is the need to protect any cardholder data that you store. The standard provides examples of suitable card holder data protection methods, such as encryption, tokenization, truncation, masking, and hashing. By using one or more of these protection methods, you can effectively make stolen data unusable.
Protecting stored data isn’t a “one size fits all” concept. You should think of PCI DSS Requirement 3 as being the minimum level of security that you should implement to make life as difficult as possible for potential attackers.
Knowing the data storage rules
You need to know all locations where data is stored (a big incentive to minimize your data footprint). Requirement 3 also provides guidance about which data can — and can’t — be stored. One of the best pieces of advice in this requirement is “If you don’t need it, don’t store it.”
Making stored data unreadable
The PCI DSS standard requires you to render a primary account number (PAN) unreadable anywhere it’s stored, including portable storage media, backup devices, and even audit logs (which are often overlooked). The deliberate use of the word unreadable by the PCI Security Standards Council allows the council to avoid mandating any particular technology, which in turn futureproofs the requirements. Despite this fact, Requirement 3.4 provides several options:
- One-way hashes based on strong cryptography in which the entire PAN must be hashed
- Truncation, which stores a segment of the PAN (not to exceed the first six and last four digits)
- Tokenization, which stores a substitute or proxy for the PAN rather than the PAN itself
- Strong cryptography underpinned by key management processes and security procedures
Managing keys securely
Whatever approach you intend to use to render your stored data unreadable, you need to secure the associated cryptographic keys. Strong encryption is useless, if it’s coupled with a weak key management process. The standard provides detailed guidance on managing keys — guidance that’s significantly similar to the way banks and other financial institutions are required to secure their cryptographic keys. Additional requirements call on you to fully document the way you implement and manage various keys throughout their life cycles.
Your success in managing keys depends on having good cryptographic key custodians: people you trust who won’t collude to attack your systems. These people are required to formally acknowledge that they understand and accept their key-custodian responsibilities.
Also, you must ensure that security policies and operational procedures for protecting stored cardholder data are documented, used, and known to all affected parties within your organization.
Don’t underestimate the critical importance of strong key management, and don’t try to take shortcuts. Your Qualified Security Assessor will find your errors, and attackers may find them too.
Masking the PAN before displaying
The standard provides some very specific advice regarding the display of a PAN: Display the full range of digits (normally, 16) only to those personnel who must view it for business reasons. In all other cases, you must implement masking to ensure that no more than the first six digits and the last four digits of the PAN are displayed.
Note: This material is drawn from PCI Compliance & Data Protection for Dummies, Thales Limited Edition, by Ian Hermon and Peter Spier. Please refer to it for more detail on these topics.