Connect with us

Finance

WHAT ARE THE PCI RULES FOR STORING CREDIT CARD DATA?

Published

on

Narendra Sahoo (PCI QSA, PCI QPA, CISSP, CISA, CRISC) is the Founder and Director of VISTA InfoSec.

 

Introduction

More than often when software developers design platforms for digital payments, they are unaware of why and how the applications are used for handling cardholder data (CHD). On the other hand, most merchants are not aware of whether these applications store CHD. This results in unencrypted data storage and exposure to various cyber threats. While some Merchants may have to store sensitive cardholder data for payment processing, transaction history, or recurring billing, it is important that the developer is aware of such requirements and accordingly designs applications with the necessary security measures for safe handling such sensitive data. Addressing these issues the PCI Council along with the support of major card brands developed the Payment Card Industry Data Security Standard (PCI-DSS).

The Standard which is a widely accepted set of requirements ensures optimum security of sensitive cardholder data and protection against evolving cyber threats. PCI-DSS requirements apply to all entities that store, process, or transmit cardholder data. The requirements outlined clearly state that cardholder data can only be stored for a “legitimate legal, regulatory, or business reason.” So for those businesses that have a legitimate reason to store data must understand the PCI requirements and know what measures they must take to protect that data. Elaborating the PCI requirements in detail our article explains the PCI Rules that vendors and merchants must follow for storing sensitive credit card data. So, let us first take a closer look at the PCI Guidelines for Data Retention.

 

PCI Guidelines for Data Retention

Merchants must avoid storing cardholder data unless they have a legitimate legal, regulatory, or business reason to do so. That said, the data classified as the Cardholder Data (CHD) which includes the 16-digit primary account number (PAN), cardholder name, service code, and expiration date are the kind of data that can probably be stored. However, it is important to note that the Sensitive Authentication Data (SAD) cannot be stored after authorization of a transaction, even after encryption. Data that is classified SAD include the full magnetic stripe data found on the back of the card, data on the EMV chip, the CVV, PIN, and PIN block. SAD data are extremely valuable and should be protected at all costs for it is a valuable tool for attackers to use the card-present and card-not-present environment.

So, to ensure maximum protection of sensitive data, Merchants should develop a data retention and storage policy that strictly limits storage and retention time based on the business, legal, and/or regulatory requirement. Further, Merchants must also implement necessary PCI DSS requirements and ensure general protection of the cardholder data environment.

  Data elements Storage Permitted Protection Required
 

 

Cardholder Data

Primary Account Number (PAN) Yes Yes
Cardholder Name Yes Yes
Service Code Yes Yes
Expiration Date Yes Yes
Sensitive Authentication Data Full Magnetic Strip Data No N/A
CAV2/CVC2/CVV2/CID No N/A
PIN/PINBlock No N/A

Source – PCI SSC

 

What does PCI say about Data Storage?

The PCI DSS outlines in its Requirement 3, guidelines to protect stored cardholder data. Requirement 3 applies only if the Merchant stores the cardholder data. Merchants who do not store cardholder data have stronger protection against the threat as they eliminate the primary target for hackers. While merchants who have a legitimate business reason to store Cardholder Data, need to understand what data elements PCI DSS allows them to store and what measures they must take to protect those data. For getting a better perspective and understanding of PCI DSS Require 3, let us take a closer look at the PCI rules for the storage of data.

 

PCI Rule for Storage of cardholder data

Focusing on the PCI Requirement 3, it provides guidelines for protecting stored Cardholder Data. Requirement 3 constitutes multiple sub-requirements that the Merchants are required to understand and follow. It is important that Merchants who own the responsibility of securing Cardholder Data must understand the requirements outlined and know the differences between Account Data, Cardholder Data, and Sensitive Authentication Data. While the Account Data constitutes all the data that is there on a credit card, the Cardholder Data (CHD) includes the 16-digit PAN, expiration date, and cardholder name, and the Sensitive Account Data (SAD) includes sensitive track data the magnetic stripe, CVV, PIN, and PIN Block. SAD data is very sensitive data that cannot be stored after authorization. If at all, SAD storage is allowed only for issuers for the purpose of testing and error correction. Storage of cardholder data should be limited to what is necessary and only to meet legal, regulatory, or business needs. Given below are PCI Rules outlined with a detailed explanation of the requirement and what is expected of the merchants to ensure the protection of stored cardholder data.

 

PCI Rules Explanation
PCI Rule 3.1- Keep Cardholder Data Storage to Minimum PCI-DSS requirement 3.1 clearly states that the Cardholder Data should be limited to what is necessary for legal, regulatory, or business needs. The requirement also states that entities must develop data retention policies, secure deletion policies, and every quarter identify and remove any Cardholder Data that exceeds the retention period. A data discovery tool may be used for identifying such data. Entities must define measures to delete the data securely when no longer needed.
PCI Rule 3.2- Do Not Store Sensitive Authentication Data After Authorization PCI-DSS requirement 3.2 states that Sensitive Authentication Data (SAD) cannot be stored after authorization, even if it is encrypted. The data must be immediately deleted and ensured it is unrecoverable after the authorization process.  SAD includes the full track data, CVV, and PIN data that are extremely valuable to attackers. Unauthorized access to such sensitive data can lead to fraudulent transactions over both card-present and card-not-present transactions. Only payment card issuers or entities that have a legitimate business need related to the issuing services can store the data.
PCI Rule 3.3- Mask Primary Account Number (PAN) When Displayed PCI DSS requirement 3.3 states that the PAN number must be masked when displayed. PNA number is the 16 digit number displayed at the front of the card. The requirement clearly states that not more than the first six and last four digits number must be displayed.  Only personnel with a legitimate business need can see more than the first six/last four digits of the PAN. The entity must establish a policy and procedure that ensures the masked display of PAN.
PCI Rule 3.4 Make PAN Unreadable Wherever Stored PCI DSS requirement 3.4 states that the PAN Data that is stored for an unavoidable reason must be rendered unreadable wherever it is stored. The PCI-DSS explicitly elaborates some of the acceptable methods for rendering the PAN data unreadable. This includes Hashing, Truncation, or Encryption methods.  While the hashed index method simply involves displaying only the index data that point to records in the database where the sensitive data resides, truncation involves removing a data segment by simply displaying only the last four digits. Index token on the other hand is an encryption algorithm that combines sensitive plain text data with a random key or pad to render the data unreadable. Strong cryptography is another method that involves using mathematical formulas to render plain text data unreadable. PAN data rendered unreadable makes it extremely difficult and time-consuming to decrypt the data and difficult for attackers to hack.
PCI Rule 3.5 Protect Keys Used To Store Cardholder Data

 

 

PCI DSS requirement 3.5 states the use of cryptography and requires entities to take measures to protect encryption keys from disclosure and misuse.  Data that are encrypted can be decrypted if the attacker gains access to encryption keys. For these reasons, the encryption keys must be developed strong and stored separately in the least possible location and form with limited access granted to individuals.  While securing the encryption key entities must consider both external threats and the internal threats from employees. Further, entities are expected to document a description of the cryptographic architecture including details of all algorithms, protocols, and keys used for the protection of cardholder data, including key strength and expiry date, description of the key usage for each key, and an inventory of any HSMs and other SCDs used for key management.
PCI Rule 3.6 Document and Implement all Key Management Processes and Procedures for Encryption Keys Used to Encrypt Cardholder Data

 

PCI DSS requirement 3.6 states that the entities must build key management programs and document every aspect of key management including the process, procedures, and implementation of encryption keys used for encrypting cardholder data. This includes the secure generation, distribution, and storage of cryptographic keys and policies that require key changes at the end of the crypto period or if the integrity of the key is compromised or weakened due to various reasons. Establishing a good Key Management Process is essential be it manual or automated as part of the encryption product based on industry standards to ensure all key elements stated in requirement 3.6 are addressed.
PCI Rule 3.7  Security Policies and Operational Procedures are Documented and Communicated to all the Affected Parties

 

PCI DSS requirement 3.7 states that the entities must have in place policies and procedures that are not just documented but also communicated to individuals involved in the protection of Cardholder Data (CHD) and also ensure that they are enforced and duly followed.  The policies and procedures should just be documented for the sake of the audit. Entities must ensure that these policies and procedures are well understood by the employees and made aware of their responsibility towards the protection of CHD.

It is important to note that these above listings are the direct controls for stored card data. However, there are a few other controls such as network controls, hardening requirements of the assets, and even what can be seen in requirement 10 of PCI DSS that mandates the logging and reporting required for all access to card data.

 

Conclusion

Merchants and Payment Application Developers must both be aware of the requirements and understand how and why the digital payment solutions handle cardholder data (CHD). They must also establish strong security measures to protect stored cardholder data as per the PCI-DSS compliance requirements. Further, to fulfill the Require 3 of PCI DSS Compliance we strongly recommend Merchants reduce their PCI scope by streamlining the card data flow, storing only data that is necessary, and implementing network segmentation to reduce the risk exposure from the rest of the network.

Finance

Mini-Budget 2022:

Published

on

By

Tax giveaway is a boost for business, but will it drive growth or fuel inflation?

 

Chancellor Kwasi Kwarteng has announced a comprehensive wave of tax cuts and other incentives for individuals and businesses, as well as confirming some of the announcements made earlier this week.  The measures are part of a new Growth Plan, which is aiming to boost economic growth. However, only time will tell if they will curb inflation and temper recession concerns.

Richard Godmon, tax partner at accountancy firm, Menzies LLP, said:

“With another fiscal statement to follow, this mini-Budget is a defining moment for the new Government and tax cuts are firmly back on the agenda.

“The biggest surprise was the decision to simplify Income Tax by moving to a single higher rate of tax for high earners of 40%, with effect from April next year. This will encourage a spirit of entrepreneurialism by incentivising work and putting money back into the economy. The flip side is that the Government might also be hoping that the move increases the tax take, as it could help to draw people back to the UK who may have previously chosen to live and work elsewhere, while encouraging others to stay put.

“The reduction in dividend tax rates and the abolition of the additional rate of tax from April 2023 means that business owners will need to consider carefully the timing of dividend payments over the next few months.”

Up to 40 new Investment Zones

The Chancellor also outlined plans to create up to 40 new ‘investment zones’ in England, with the potential for more in Wales, Scotland and Northern Ireland. Businesses in these zones will benefit from wide-ranging tax breaks including 100% tax relief on investments in plant and machinery, and no National Insurance Contributions will be payable on the first £50,000 earned by new employees.

Richard Godmon, tax partner at Menzies LLP, said: “The new Investment Zones are reminiscent of the former Enterprise Zones, but they will provide a much more favourable tax environment for businesses and they promise to become a magnet for inward investment. There are currently 38 areas in England on the list for consideration and we look forward to finding out which ones will be selected.”

Incentivising business investment and Corporation Tax rise ‘cancelled’

The limit of the Annual Investment Allowance (AIA) will not revert to £200,000 as planned in April next year, it will now permanently stay at £1 million.

Richard Godmon, tax partner at Menzies LLP, said:

“Capital allowances are highly valued by businesses and they will be pleased that this one in particularly is going to stick at £1 million and that this is no longer being described as a temporary measure, but is to be made permanent.

“The decision to cancel the planned increase in Corporation Tax (due to tax effect next April) will be a relief to many small and medium-sized businesses who have been concerned that this increase would erode profits further and make it even more challenging to remain viable.”

Incentivising entrepreneurial investment

The Chancellor highlighted plans to increase the cap on investments that can be made under the Seed Enterprise Investment Scheme (SEIS) from £150,000 to £250,000. Individuals making investments in start-ups up have had the limit doubled to £200,000, with the 50% income tax relief remining the same. The Government also gave its commitment to continuing to back the Enterprise Investment Scheme (EIS).

“These announcements send a signal to entrepreneurial investors that tax should not be a barrier and the Chancellor wants to expand incentives in this area,” added Richard Godmon, tax partner at Menzies LLP.

Stamp Duty Land Tax

The threshold at which Stamp Duty Land Tax (SDLT) becomes payable on residential property purchases in the UK has been raised to £250,000, double its previous level in a bid to boost the property market. In addition, first-time buyers will not have to pay SDLT on property purchases up to a value of £425,000 (up from £300,000). Both measures will take effect from today.

Richard Godmon, tax partner at Menzies LLP, said:

“The decision to raise the SDLT threshold is designed to build consumer confidence and boost the housing market generally. For property developers it will fuel activity by creating demand, particularly from first-time buyers, and help to free up finance to front-end development projects.”

IR35 Changes

Richard Godmon, tax partner at Menzies LLP, said:

“The repealing of the 2017 and 2021 IR35 changes will be hugely welcomed as it will remove an administrative burden, risk and cost, enabling businesses to devote resources to furthering their growth strategies.

“It is important to recognise that IR35 has not been abolished and the result of the changes is that the risk and compliance costs are being returned to the individuals and their personal service companies.  HMRC will no doubt redirect their focus towards the contractors, which will bring challenges and make enforcement more difficult.”

Continue Reading

Finance

A zero trust environment is critical for financial services

Published

on

By

Boris Bialek, Managing Director of Industry Solutions at MongoDB

Not long ago security professionals were still focused on protecting their IT in a similar formation to mediaeval guards protecting a walled city – concentrating on making it as difficult as possible to get inside. Once past this perimeter though, access to what was within was endless. For financial services, this means access to everything from personal identifiable information (PII) including credit card numbers, names, social security information and more ‘marketable data’. Unfortunately, we have many examples of how this type of security doesn’t work, the castle gets stormed and the data isn’t protected. The most famous is still the Equifax incident, where a small breach has led to years of unhappy customers.

Thankfully the mindset has shifted spurred on by the proliferation of networks and applications across geographies, devices and cloud platforms. This has made the classic point to point security obsolete. The perimeter has changed, it is fluid, so reliance on a wall for protection also has to change.

Zero trust presents a new paradigm for cybersecurity. In this context, it is already assumed that the perimeter is breached,no users are trusted, and trust cannot be gained simply by physical or network location. Every user, device and connection must be continually verified and audited.

What might seem obvious, but begs repeating, with the amount of confidential customer and client data that financial institutions hold – not to mention the regulations – this should be an even bigger priority. The perceived value of this data also makes financial services organisations a primary target for data breaches.

But how do you create a zero trust environment?

Boris Bialek

Keeping the data secure 

While ensuring that access to banking apps and online services is vital, it is actually the database that is the backend of these applications that is a key part of creating a zero trust environment. The database contains so much of an organisation’s sensitive, and regulated, information, as well as data that may not be sensitive but is critical to keeping the organisation running. This is why it is imperative that a database is ready and able to work in a zero trust environment.

As more databases are becoming cloud based services, a big part of this is ensuring that the database is secure by default, meaning it is secure out of the box. This takes some of the responsibility for security out of the hands of administrators because the highest levels of security are in place from the start, without requiring attention from users or administrators. To allow access, users and administrators must proactively make changes – nothing is automatically granted.

As more financial institutions embrace the cloud, this can get more complicated. The  security responsibilities are divided between the clients’ own organisation, the cloud providers and the vendors of the cloud services being used. This is known as the shared responsibility model. This moves away from the classic model where IT owns hardening the servers and security, then needs to harden the software on top – say the version of the database software – and then needs to harden the actual application code. In this model, the hardware (CPU, network, storage) are solely in the realm of the cloud provider that provisions these systems. The service provider for a Data-as-a-Service model then delivers the database hardened to the client with a designated endpoint. Only then does the actual client team and their application developers and DevOps team come into play for the actual “solution”.

Security and resilience in the cloud are only possible when everyone is clear on their roles and responsibilities. Shared responsibility recognizes that cloud vendors ensure that their products are secure by default, while still available, but also that organisations take appropriate steps to continue to protect the data they keep in the cloud.

Authenticate Everyone  

In banks and finance organisations, there is always lots of focus on customer authentication, making sure that accessing funds is as secure as possible. But it is also important to make sure that access to the database on the other end is secure. An IT organisation can use any number of methods to allow users to authenticate themselves to a database. Most often that includes a username and password, but given the increased need to maintain the privacy of confidential customer information by financial services organisations this should only be viewed as a base layer.

At the database layer, it is important to have transport layer security and SCRAM authentication which enables traffic from clients to the database to be authenticated and encrypted in transit.

Passwordless authentication is also something that should be considered – not just for customers, but internal teams as well. This can be done in multiple ways with the database, either auto-generated certificates that are needed to access the database or advanced options for organisations already using X.509 certificates and have a certificate management infrastructure.

Tracking is a key component 

As a highly regulated industry, it is also important to monitor your zero trust environment to ensure that it remains in force and exompasses your database. The database should be able to log all actions or have functionality to apply filters to capture only specific events, users or roles.

Role-based auditing lets you log and report activities by specific roles, such as userAdmin or dbAdmin, coupled with any roles inherited by each user, rather than having to extract activity for each individual administrator. This approach makes it easier for organisations to enforce end-to-end operational control and maintain the insight necessary for compliance and reporting.

Next level encryption

With large amounts of valuable data, financial institutions also need to make sure that they are embracing encryption – in flight, at rest and even in use. Securing data with client-side field-level encryption allows you to move to managed services in the cloud with greater confidence. The database only works with encrypted fields and organisations control their own encryption keys, rather than having the database provider manage them. This additional layer of security enforces an even more fine-grained separation of duties between those who use the database and those who administer and manage it.

Also, as more data is being transmitted and stored in the cloud – some of which are highly sensitive workloads – additional technical options to control and limit access to confidential and regulated data is needed. However, this data still needs to be used. So ensuring that in-use data encryption is part of your zero trust solution is vital. This also enables organisations to confidently store sensitive data, meeting compliance requirements, while also enabling different parts of the business to gain access and insights from it.

Securing data is only going to continue to become more important for all organisations, but for those in financial services the stakes can be even higher. Leaving the perimeter mentality to the history books and moving towards zero trust – especially as cloud and as-a-service infrastructure permeates the industry – is the only way to protect such valuable data.

Continue Reading

Magazine

Trending

Business2 days ago

Know Your Business (KYB): Exceeding KYC

Victor Fredung, CEO at Shufti Pro   Money laundering costs the UK more than £100 billion pounds a year, according...

Finance1 week ago

Mini-Budget 2022:

Tax giveaway is a boost for business, but will it drive growth or fuel inflation?   Chancellor Kwasi Kwarteng has...

Finance1 week ago

A zero trust environment is critical for financial services

Boris Bialek, Managing Director of Industry Solutions at MongoDB Not long ago security professionals were still focused on protecting their...

Banking1 week ago

Digital Banking – a hedge against uncertainty?

Ankit Shah, Head of Digital Banking, Apex Group   The story of the 2020’s thus far is one of crisis....

News1 week ago

Union Bank of India goes live with RuPay Credit Card on UPI with Kiya.ai as a technology partner

Nitesh Ranjan, ED Union Bank of India with Rajesh Mirjankar, Managing Director & CEO, Kiya.ai at the launch   Kiya.ai,...

Finance1 week ago

Anyone Can Become an R&D Tax Expert with the Right Foundations

Ian Cashin is a Customer Success Manager at Fintech company and R&D tax software provider WhisperClaims   For accounting firms,...

Business1 week ago

Addressing the ongoing global pilot shortage issue

By Bhanu Choudhrie, Founder of Alpha Aviation   The Covid-19 pandemic brought the aviation industry to a halt, causing vast...

Business1 week ago

How exporters can mitigate risks and operate smoothly in stormy, post-Brexit waters

By Morgan Terigi is Co-Founder and CEO of Incomlend   The past few years have presented a series of hurdles...

Business1 week ago

From employees to customers, workforce management can benefit the entire banking ecosystem

Michael Cupps, SVP of Marketing of ActiveOps explores the significant impact workforce management can have on the employees and customers...

Business1 week ago

Redefining the human touch with digital transformation

Simon Kearsley, CEO of bluQube   It may not be a new phrase, but digital transformation is still inducing anxiety...

Finance2 weeks ago

CFOs – the forgotten ally in the fight against ransomware

Justin Vaughan-Brown, VP Market Insight at Deep Instinct   Ransomware attacks have nearly doubled in the past couple of years....

Technology2 weeks ago

7 cost benefits of cloud accounting software

By Paul Sparkes, Commercial Director of iplicit, an award-winning accounting software developer   Is your accounting software having a laugh...

Business2 weeks ago

How does Identity Access & Privileged Access Management help in PCI DSS Compliance?

Narendra Sahoo is a director of VISTA InfoSec. Introduction The Payment Card Industry Data Security Standard also commonly referred to...

Finance2 weeks ago

Listed private debt deserves a closer look from investors

By Michel Degosciu, Managing Partner, LPX AG Over the past few years, the private debt asset class is attracting serious...

Banking2 weeks ago

Security vs online payment convenience: which one is tipping the scales for customers?

 Chirag Patel, President of Digital Wallets at Paysafe.   While keeping their payment details safe is a top priority for...

Business2 weeks ago

The Tool and Tips to Truly Get Started with No-Code Development

Author: Chris Obdam, CEO of Betty Blocks   Throughout the legal industry, firms and in-house departments are leveraging legal tech...

That’s where Netcall’s Liberty Create came in. Create is a new breed of low-code software solution, built for both business users and professional developers That’s where Netcall’s Liberty Create came in. Create is a new breed of low-code software solution, built for both business users and professional developers
Business2 weeks ago

How ReFi Will Transform Finance

– by Ransu Salovaara, CEO of carbon platform Likvidi   Humanity faces a multitude of threats, many of which are...

Business3 weeks ago

THE NEXT WAVE OF FINTECH IS HERE

Much has been made of the ‘second generation’ fintech movement recently, but what have these businesses learned from those entering...

News3 weeks ago

UK leaves Europe trailing in its embrace of digital banking

People in the UK have embraced digital and online banking in a way that those across the rest of Europe...

Business3 weeks ago

The rise of automation and its impact on the CFO & CIO

By: Gert-Jan Wijman, VP Europe, Middle East and Africa at Celigo   On the back of the pandemic, organisations have...

Trending