Do you feel unsure if the amount of data stored by your organization is compliant with the Payment Card Industry Data Security Standard (PCI DSS)? To clarify the rules, here are best practices for payment info storage as dictated in Requirement 3.1, along with information on the new version – PCI DSS 3.1.
- Encryption and Minimum Necessary Storage
- Store, or Trash?
- 3 Best Practices for PCI Data Storage
- More About PCI DSS 3.1 – Say Yes to TLS
- Assessments for Transition to PCI v3.1
- Your PCI DSS Compliance-Ready Cloud
Encryption and Minimum Necessary Storage
PCI DSS 3.1 became available April 15, which is a big deal for the finance industry and anyone taking payments online. Much of the discussion surrounds the new and game-changing encryption provisions. Specifically, because of the Heartbleed bug and other vulnerabilities in open-source SSL (particularly OpenSSL), the PCI overlords at Discover, American Express, Visa, and AmEx decided that SSL is unacceptable for new systems. (Read more on this below.)
Of course, PCI compliance is not just about encryption software. One of the other major sections of the standard states that any user data on cardholders should be kept on file only when necessary. That section, confusingly called Requirement 3.1, describes the creation of policies on when and how to retain and remove data.
Store, or Trash?
Channeling Hamlet, forensic and litigation consultant Roger Nebel wonders “[w]hether it is nobler in the eyes of your acquiring bank to retain your transaction data, and risk a breach, or to take arms against the conventional wisdom that the merchant must retain massive amounts of private data in order to fend off the odd contested transaction.â€
Traditionally, banks advised that anyone doing business online keep full records pertaining to card payments so there was proof if someone said the charge was bogus. Actually, though, you only need:
- The authorization number
- Amount charged
- ID verification for in-person payments, or ZIP Code and CVV for card not present (CNP) scenarios such as online sales
Should you keep card on file, though? Card data is stored with PayPal, Amazon, cell phone carriers, and elsewhere. “[T]he benefits to those merchants are clear — ease of future transactions which presumably increase sales,†says Nebel. “If a merchant does decide to store the data for a legitimate business reason then they are required to protect it.â€
3 Best Practices for PCI Data Storage
What’s the best way to approach storage, considering the valid reasons to want to retain information alongside the progressively challenging threat landscape? Here are three best practices:
- Documents – Record and retain policies and procedures for anything related to transactions or security, such as migration to TLS.
- Assessments – Conduct periodic assessments of policies and procedures, ideally through legal and IT security consultants.
- Consideration – Run the numbers. Is card-on-file worth it to your business?
According to Nebel, the gist with card data is to keep it small and safe. “A merchant should store the minimum necessary to meet the documented business needs,†he explains. “In addition, ensure that any storage is done securely and in compliance with all statutes, regulations, contractual obligations, and … your privacy policy.â€
More About PCI DSS 3.1 – Say Yes to TLS
As indicated above, PCI DSS 3.1 ditches SSL (secure sockets layer) and outdated versions of TLS (transport layer security) for TLS 1.2.
Deadlines for the encryption requirement for new and existing systems are June 30, 2015, and June 30, 2016, respectively. In other words, now and moving forward, you don’t want any new systems protecting cardholder data to be secured only with SSL – but you have a year-long grace period for any current deployments.
Note that if you are going to use the grace period, the PCI Security Standards Council specifies that anyone taking payments must create a Risk Mitigation and Migration Plan explaining how and when the transition to the acceptable protocol will occur and controls currently in place to prevent pre-migration exploits.
Assessments for Transition to PCI v3.1
Don’t drive blind as you transition to this new standard. Check your policies and procedures that address how data is stored and removed to confirm that they contain:
- All parameters related to data retention, as indicated by the law, regulators, and business goals – including specific lengths of time.
- How and when unnecessary data such as payment information should be removed.
- Guidelines related to all aspects of storage, with Nebel providing the examples of “database servers, mainframes, transfer directories, and bulk data copy directories used to transfer data between servers, and directories used to normalize data between server transfers.â€
- Automated removal or the audit process for removal of unnecessary payment information every 90 days.
Your PCI DSS Compliance-Ready Cloud
Need PCI compliance in the cloud? By handling sensitive personal data in a responsible way, we help enterprises that accept, store, and/or process credit cards to achieve and maintain 100%Â compliance with PCI DSS 3.1 standards. Check out our Passmark-rated, PCI-compliant cloud servers.
By Kent Roberts