Guide to PCI DSS – Part 3: Protecting Data

Welcome to SandStorm IT’s 6-part series about Payment Card Industry Data Security Standard (PCI DSS). In this series, we’ll cover what PCI DSS is and the various requirements:

• Part 1 – What is PCI DSS?
• Part 2 – Building and Maintaining a Secure Network
• Part 3 – Protecting Data (You are here)
• Part 4 – Further Protection on Systems
• Part 5 – Access Control
• Part 6 – Wrap-up

In our last post I provided a basic introduction into PCI DSS and a summarization of Requirements 1 & 2. Now it is time to dive into Requirements 3 & 4, which deal with the protection of customer data.

Protect Cardholder Data – Requirements 3 & 4

Straight from the PCI DSS QuickStart Guide: “Cardholder data refers to any information printed, processed, transmitted or stored in any form on a payment card. You are expected to protect cardholder data and to prevent its unauthorized use – whether the data is printed or stored locally, or transmitted over an internal or public network to a remote server or service provider.”

Requirement 3: Protect stored cardholder data

Cardholder data should not be stored unless it’s necessary to meet the needs of the business.  If it is stored it must be encrypted and unreadable with encryption key management processes and procedures in place.  You should limit cardholder data storage to what is required for the business or regulatory purposes and have that information documented in your data retention policy.  Masking the primary account number is important so that only authorized people can see more than the last four digits.

You should not write down and/or store credit card numbers, a practice I see in my personal life, especially when paying by phone.

Requirement 4: Encrypt transmission of cardholder data across open, public networks

Any transmissions of cardholder data that is not encrypted can be intercepted.

Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks (e.g. Internet, wireless technologies, cellular technologies, General Packet Radio Service [GPRS], satellite communications).  There are specific requirements for strong encryption that are outside the scope of this blog post.  Never send unprotected primary account numbers using an end user message system like email, SMS, or other chat system.

Summary of Requirements 3 & 4

This just scratches the surface of requirements 3 & 4.  The bottom line is that you must understand these requirements and you must protect your customer cardholder data just as you would protect your own.

SandStorm IT can help you determine what may be applicable to your business and what may not. We can be reached at 901-475-0275.