Are you storing customer data properly? The challenges of PCI DSS compliance
by Russell Fewing , Services Marketing Manager at the Information Systems Security activities of Thales
Data security breaches are hitting the headlines with alarming frequency. While the most recent breaches have involved the public sector and financial services industries, retailers are not immune from the rise of data losses. Cotton Traders, the UK leisurewear and casual clothes brand, for example, recently conceded that thousands of customer details had been stolen from the company's website. Last year saw perhaps one of the most publicised cases involving retail giant, TJ Maxx, which found that hackers had accessed internal systems used to process and store customer transaction data, including credit card, debit card, cheque and return transactions. The incident cost TJ Maxx $256 million1 and the company is now offering to pay Visa card issuers a further $40.9 million2 to compensate for costs connected to the data breach. With data security cases rising in number and severity, the various industries affected are pulling together in an attempt to reduce the risk of fraud. The Payment Card Industry Data Security Standard (PCI DSS ) is one such example which aims to crack down on fraud associated with credit and debit cards. However, the implementation of PCI DSS is not without its challenges and these must be overcome if the standard is to be used as an effective weapon in the fight against card fraud.
PCI DSS aims to prevent any information that could be used to make a counterfeit card or a fraudulent online transaction from falling into the wrong hands. The standard applies to every acquiring bank, merchant and third party that accepts or processes payment cards. It is now mandatory for businesses with over 100,000 transactions a year to either be PCI DSS compliant or be able to demonstrate plans to become so. However, there is one element of the standard which is proving to be a particular stumbling block – requirement 3: protecting the stored cardholder data. In fact, 79 per cent of PCI DSS audit failures are due to companies not implementing requirement 3 properly.
Retailers have to store customer data, for example in order to be able to refund payments. PCI DSS compliance implies that protecting cardholder data involves storing only the minimum information needed to make the stored data valueless to anyone who does manage to steal it. While there are various PCI DSS approved techniques for achieving this, strong cryptography is the most sophisticated and most successful approach for protecting stored cardholder data, ensuring that the information remains safe even if the other layers are breached. Encryption also allows data to be stored for as long as necessary and as flexibly as possible.
With strong cryptography a secret ‘key' value is used in an encryption algorithm to protect the cardholder data. As long as this ‘key' value remains secret, the encrypted data is safe. Consequently, the best way to store the secret ‘key' is to use a cryptographic Hardware Security Module (HSM) that performs all of the encryption and decryption of data and never allows users or applications to see the key. The improved security resulting from this approach is a considerable benefit not only in demonstrating compliance with the PCI DSS but also in mitigating risk for an organisation, and avoiding fines and penalties associated with non-compliance.
Compliance with PCI DSS may be perceived by the industry as another regulatory burden that they could do without, particularly when it comes to implementing the more challenging requirements such as protecting stored cardholder data. However, as fraudsters become increasingly sophisticated and data breaches among retailers continue to regularly make the headlines, PCI DSS compliance should be viewed as an opportunity to review security processes and ensure that it's not your company name hitting the headlines in tomorrow's newspapers.
1 Search Security, ‘ TJX profit takes hit over data breach', 15 th August 2007
2 Search Security, ‘ TJX offers $40.9 million breach settlement', 3 rd December 2007