PAYMENT CARD INDUSTRY (PCI) SECURITY COUNCIL STANDARDS
The PCI Security Standards Council Data Security Guidelines (DSS) provide specific recommendations on the use of encryption to protect credit and financial account information. Coalfire, an independent IT audit group found that CipherCloud encryption and tokenization capabilities adhere to PCI-DSS requirements.
- Ensuring that clear-text account data is never accessible
- Rendering primary account numbers (PAN) unreadable via encryption, tokenization or other forms of obfuscation
- Securing encryption keys from misuse and establish separation of admin duties and key control
Acceptable methods rendering data unreadable are defined as:
- One-way hash functions based on strong cryptography, that displays only index data pointing to records in the database where sensitive data actually resides.
- Truncation – removing a critical segment of field data, such as showing only the last four digits.
- Index tokens and securely stored pads – encryption algorithms that combine sensitive plain text data with a random key or “pad” that works only once.
- Strong cryptography – with associated key management processes and procedures. (Refer to the PCI DSS and PA-DSS Glossary of Terms, Abbreviations and Acronyms for the full definition of “strong cryptography.”)
BREACH NOTIFICATION REQUIREMENTS & EXEMPTIONS
Public notification is required in most countries for breaches of PCI-DSS. Yet, encryption is viewed as a “critical component” and if it has been adequately applied, there are exemptions from breach notification requirements.