Finance

WHAT ARE THE PCI RULES FOR STORING CREDIT CARD DATA?

Published

2 years ago

August 27, 2021

admin

Narendra Sahoo (PCI QSA, PCI QPA, CISSP, CISA, CRISC) is the Founder and Director of VISTA InfoSec.

Introduction

More than often when software developers design platforms for digital payments, they are unaware of why and how the applications are used for handling cardholder data (CHD). On the other hand, most merchants are not aware of whether these applications store CHD. This results in unencrypted data storage and exposure to various cyber threats. While some Merchants may have to store sensitive cardholder data for payment processing, transaction history, or recurring billing, it is important that the developer is aware of such requirements and accordingly designs applications with the necessary security measures for safe handling such sensitive data. Addressing these issues the PCI Council along with the support of major card brands developed the Payment Card Industry Data Security Standard (PCI-DSS).

The Standard which is a widely accepted set of requirements ensures optimum security of sensitive cardholder data and protection against evolving cyber threats. PCI-DSS requirements apply to all entities that store, process, or transmit cardholder data. The requirements outlined clearly state that cardholder data can only be stored for a “legitimate legal, regulatory, or business reason.” So for those businesses that have a legitimate reason to store data must understand the PCI requirements and know what measures they must take to protect that data. Elaborating the PCI requirements in detail our article explains the PCI Rules that vendors and merchants must follow for storing sensitive credit card data. So, let us first take a closer look at the PCI Guidelines for Data Retention.

PCI Guidelines for Data Retention

Merchants must avoid storing cardholder data unless they have a legitimate legal, regulatory, or business reason to do so. That said, the data classified as the Cardholder Data (CHD) which includes the 16-digit primary account number (PAN), cardholder name, service code, and expiration date are the kind of data that can probably be stored. However, it is important to note that the Sensitive Authentication Data (SAD) cannot be stored after authorization of a transaction, even after encryption. Data that is classified SAD include the full magnetic stripe data found on the back of the card, data on the EMV chip, the CVV, PIN, and PIN block. SAD data are extremely valuable and should be protected at all costs for it is a valuable tool for attackers to use the card-present and card-not-present environment.

So, to ensure maximum protection of sensitive data, Merchants should develop a data retention and storage policy that strictly limits storage and retention time based on the business, legal, and/or regulatory requirement. Further, Merchants must also implement necessary PCI DSS requirements and ensure general protection of the cardholder data environment.

	Data elements	Storage Permitted	Protection Required
Cardholder Data	Primary Account Number (PAN)	Yes	Yes
	Cardholder Name	Yes	Yes
	Service Code	Yes	Yes
	Expiration Date	Yes	Yes
Sensitive Authentication Data	Full Magnetic Strip Data	No	N/A
	CAV2/CVC2/CVV2/CID	No	N/A
	PIN/PINBlock	No	N/A

Source – PCI SSC

What does PCI say about Data Storage?

The PCI DSS outlines in its Requirement 3, guidelines to protect stored cardholder data. Requirement 3 applies only if the Merchant stores the cardholder data. Merchants who do not store cardholder data have stronger protection against the threat as they eliminate the primary target for hackers. While merchants who have a legitimate business reason to store Cardholder Data, need to understand what data elements PCI DSS allows them to store and what measures they must take to protect those data. For getting a better perspective and understanding of PCI DSS Require 3, let us take a closer look at the PCI rules for the storage of data.

PCI Rule for Storage of cardholder data

Focusing on the PCI Requirement 3, it provides guidelines for protecting stored Cardholder Data. Requirement 3 constitutes multiple sub-requirements that the Merchants are required to understand and follow. It is important that Merchants who own the responsibility of securing Cardholder Data must understand the requirements outlined and know the differences between Account Data, Cardholder Data, and Sensitive Authentication Data. While the Account Data constitutes all the data that is there on a credit card, the Cardholder Data (CHD) includes the 16-digit PAN, expiration date, and cardholder name, and the Sensitive Account Data (SAD) includes sensitive track data the magnetic stripe, CVV, PIN, and PIN Block. SAD data is very sensitive data that cannot be stored after authorization. If at all, SAD storage is allowed only for issuers for the purpose of testing and error correction. Storage of cardholder data should be limited to what is necessary and only to meet legal, regulatory, or business needs. Given below are PCI Rules outlined with a detailed explanation of the requirement and what is expected of the merchants to ensure the protection of stored cardholder data.

PCI Rules	Explanation
PCI Rule 3.1- Keep Cardholder Data Storage to Minimum	PCI-DSS requirement 3.1 clearly states that the Cardholder Data should be limited to what is necessary for legal, regulatory, or business needs. The requirement also states that entities must develop data retention policies, secure deletion policies, and every quarter identify and remove any Cardholder Data that exceeds the retention period. A data discovery tool may be used for identifying such data. Entities must define measures to delete the data securely when no longer needed.
PCI Rule 3.2- Do Not Store Sensitive Authentication Data After Authorization	PCI-DSS requirement 3.2 states that Sensitive Authentication Data (SAD) cannot be stored after authorization, even if it is encrypted. The data must be immediately deleted and ensured it is unrecoverable after the authorization process. SAD includes the full track data, CVV, and PIN data that are extremely valuable to attackers. Unauthorized access to such sensitive data can lead to fraudulent transactions over both card-present and card-not-present transactions. Only payment card issuers or entities that have a legitimate business need related to the issuing services can store the data.
PCI Rule 3.3- Mask Primary Account Number (PAN) When Displayed	PCI DSS requirement 3.3 states that the PAN number must be masked when displayed. PNA number is the 16 digit number displayed at the front of the card. The requirement clearly states that not more than the first six and last four digits number must be displayed. Only personnel with a legitimate business need can see more than the first six/last four digits of the PAN. The entity must establish a policy and procedure that ensures the masked display of PAN.
PCI Rule 3.4 Make PAN Unreadable Wherever Stored	PCI DSS requirement 3.4 states that the PAN Data that is stored for an unavoidable reason must be rendered unreadable wherever it is stored. The PCI-DSS explicitly elaborates some of the acceptable methods for rendering the PAN data unreadable. This includes Hashing, Truncation, or Encryption methods. While the hashed index method simply involves displaying only the index data that point to records in the database where the sensitive data resides, truncation involves removing a data segment by simply displaying only the last four digits. Index token on the other hand is an encryption algorithm that combines sensitive plain text data with a random key or pad to render the data unreadable. Strong cryptography is another method that involves using mathematical formulas to render plain text data unreadable. PAN data rendered unreadable makes it extremely difficult and time-consuming to decrypt the data and difficult for attackers to hack.
PCI Rule 3.5 Protect Keys Used To Store Cardholder Data	PCI DSS requirement 3.5 states the use of cryptography and requires entities to take measures to protect encryption keys from disclosure and misuse. Data that are encrypted can be decrypted if the attacker gains access to encryption keys. For these reasons, the encryption keys must be developed strong and stored separately in the least possible location and form with limited access granted to individuals. While securing the encryption key entities must consider both external threats and the internal threats from employees. Further, entities are expected to document a description of the cryptographic architecture including details of all algorithms, protocols, and keys used for the protection of cardholder data, including key strength and expiry date, description of the key usage for each key, and an inventory of any HSMs and other SCDs used for key management.
PCI Rule 3.6 Document and Implement all Key Management Processes and Procedures for Encryption Keys Used to Encrypt Cardholder Data	PCI DSS requirement 3.6 states that the entities must build key management programs and document every aspect of key management including the process, procedures, and implementation of encryption keys used for encrypting cardholder data. This includes the secure generation, distribution, and storage of cryptographic keys and policies that require key changes at the end of the crypto period or if the integrity of the key is compromised or weakened due to various reasons. Establishing a good Key Management Process is essential be it manual or automated as part of the encryption product based on industry standards to ensure all key elements stated in requirement 3.6 are addressed.
PCI Rule 3.7 Security Policies and Operational Procedures are Documented and Communicated to all the Affected Parties	PCI DSS requirement 3.7 states that the entities must have in place policies and procedures that are not just documented but also communicated to individuals involved in the protection of Cardholder Data (CHD) and also ensure that they are enforced and duly followed. The policies and procedures should just be documented for the sake of the audit. Entities must ensure that these policies and procedures are well understood by the employees and made aware of their responsibility towards the protection of CHD.

It is important to note that these above listings are the direct controls for stored card data. However, there are a few other controls such as network controls, hardening requirements of the assets, and even what can be seen in requirement 10 of PCI DSS that mandates the logging and reporting required for all access to card data.

Conclusion

Merchants and Payment Application Developers must both be aware of the requirements and understand how and why the digital payment solutions handle cardholder data (CHD). They must also establish strong security measures to protect stored cardholder data as per the PCI-DSS compliance requirements. Further, to fulfill the Require 3 of PCI DSS Compliance we strongly recommend Merchants reduce their PCI scope by streamlining the card data flow, storing only data that is necessary, and implementing network segmentation to reduce the risk exposure from the rest of the network.

Up Next

A NEW AGE IN CYBERCRIME: HOW THE FINANCIAL SERVICES SECTOR CAN PROTECT ITSELF AGAINST THE LATEST THREATS

Don't Miss

UNTAPPING THE FULL POTENTIAL OF CRYPTOCURRENCY

Business

In-platform solutions are only a short-term enhancement, but bespoke AI is the future

Published

14 hours ago

September 27, 2023

editorial

By Damien Bennett, Global Director, Principal Consultant, Incubeta

If you haven’t heard anyone talking about artificial intelligence (AI) yet, then where have you been? Conversations about AI and its advantages to society have been a key talking point over recent months, with advances being made in the generative AI race and ChatGPT opening a whole plethora of possibilities. Many have highlighted the advantages of AI, but notably it’s ability to create human-like content.

But these discussions have only scratched the surface of what AI is capable of doing. It is for far more than just essay writing, adding Eminem to your rave and photoshopping dogs into pictures.

In marketing, we have been using AI for years, for everything from analyzing customer behaviors to predicting market changes. It’s enabled us to segment customers, forecast sales and provide personalized recommendations, having a huge impact on how our industry works.

It is even, for the more savvy marketers of the world, becoming a key tool in maximizing budget efficiency – which is apt, considering over 70% of CMOs believe they lack sufficient budget to fully execute their 2023 strategy.

Now, as AI becomes more intelligent, the number of efficiencies it can unlock continues to rise. Not only can it help brands get the most out of their available resources and identify any areas of waste, but it can also help highlight new opportunities for growth and maximize the impact of your budget allocation.

The trick, however, is to veer away from the norm of using in-platform solutions with a one-size-fits-all approach and create your own, bespoke solutions that are tailored to your business needs.

Pitfalls of in-platform solutions

In-platform solutions aren’t by any means a bad thing. In fact, built-in AI tools have become increasingly popular, owing to their ease of integration, user-friendly interfaces and minimal set up requirements. They come pre-packaged with the platform, offering the user the ability to leverage AI technologies without the need for in-depth technical expertise or the upfront cost of building a solution from scratch.

However, the streamlined and accessible nature of in-platform AI solutions comes at the expense of complexity and customization. They are designed to serve a broad user base, but for the most part are built using narrow AI solutions with predefined features and workflows.

This makes them great for assisting with common AI tasks, but they lack the flexibility to tailor functionality towards unique business requirements or innovative use cases, limiting the potential efficiencies and cost savings that can be unlocked. Additionally, if a business’ competitors are using the same platform, they are probably using the same AI solution, meaning any strategic advantage gained from these will be reduced.

Bespoke AI solutions, on the other hand, may carry a higher initial investment – but can offer a significantly more attractive ROI over a short amount of time.

Why customized and adapted AI is the key

The difference between bespoke AI and in-platform solutions is similar to that between home cooked food and a microwave meal. Yes, it is more time consuming to prepare, and yes it likely carries more of an upfront cost, but the end result is going to be far more appealing and will carry more long-term value (financially… not nutritionally).

That’s because bespoke solutions, by nature, will have been tailored to address your brands specific needs and challenges. These custom-built tools allow for much greater efficiencies by streamlining workflows across different channels, automating more complex tasks, and providing deeper, more relevant insights.

The increased level of optimization can significantly improve productivity and reduce operational costs over time, offering a higher ROI. The increased flexibility of bespoke AI also allows brands to implement innovative use cases that can significantly differentiate them from their competitors.

The data analyzed can be specifically chosen to match business requirements, as can the outputs of the AI tool, providing a significant advantage when understanding and acting on the insights provided.

Additionally, these tools are, by nature, more scalable. They can be updated, upgraded and expanded as needs change, ensuring they continue delivering value as the business grows. They can also be designed to integrate with any existing IT infrastructure, from CRM systems and databases to marketing platforms and sales tools – leading to more efficient and effective decision-making.

Managing finances with AI

It’s no secret that AI in marketing automation has, and will continue to, revolutionize the way marketing is done. It has a bright, if slightly terrifying, future and can help CMOs to unlock new efficiencies, maximize the impact of their budgets and increase their ROI. And as this technology becomes more advanced, its impact will only increase.

But we already know that…and so does everyone else.

So, in order for businesses to make themselves stand out from the crowd , they must look to fully adopt the power of AI. Creating a customized and unique AI solution could be the way to set yourself apart from your competitors. A bespoke AI tool can provide brands and businesses with features unique to them and their business needs. As a result, companies will benefit from more useful data and better results to make more data-driven decisions for their business. Ultimately, this will help brands to maintain a competitive edge over their competitors, deliver ROI and most importantly optimize their budgets.

Business

Is your business suffering with Fintech FOMO?

Published

2 days ago

September 26, 2023

admin

Tom Kiddle, Chief Commercial Officer at Equals Money

It’s a challenging time for businesses of all sizes, but the past three years created storms that are particularly hard for SMEs to weather. For businesses dealing with shrinking margins, while a weakened pound is making international purchases more costly, it’s a scary time.

For many businesses this meant initially reigning in any unnecessary costs, reducing investment in anything deemed as a ‘nice to have’, and focusing on keeping the lights on. However, despite not being out of the woods in terms of economic challenges, this year many SMEs have their eyes on growth.

While some might have been buoyed by the news that the UK narrowly avoided a recession at the end of last year^[1], data shows businesses were already making investments before this news was released. In fact, UK business investment rose by 4.8% in Quarter 4 (Oct to Dec) 2022, coming in at 13.2% above where it was during the same quarter in 2021^[2].

So, where are SMEs putting their cash? As well as predictable spending on IT equipment, machinery, and transport^[3], businesses are also putting more funding than ever into technology investments – a trend that isn’t slowing down anytime soon. UK tech investment is set to grow at its fastest rate in over 15 years, both in terms of budget but also headcount^[4]

Tom Kiddle

UK businesses are clearly seeing the real opportunity that technology, in all its various forms, presents to their operations. This may also be bolstered by the fact that tech investments are potentially more cost-effective now that the government has made recent changes to R&D tax relief, which sees things like cloud computing and data included in expenditure categories^[5]. When it comes to revamping legacy systems and introducing Fintechs that offer businesses a smarter, easier, automated way of doing business, investing in technology can increasingly feel like a no brainer.

However, it’s rare that a one size fits all solution exists for businesses. What works for your competitor may not offer the same benefits to your organisation. In a world with so many risk factors, making smart investments that are aligned to your individual business goals is key.

Tom Kiddle, Chief Commercial Officer at innovative money movement solution Equals Money, explains four ways businesses can reap the rewards of smart tech investments:

1. Measurement

Can you measure the impact it will have on your business? It doesn’t have to be monetary, but if it gives you efficiency, visibility, or certainty, these can have measurable tangible impacts to your top and bottom line.

2. Insight

Does it tell you something you didn’t know before about your customers, your employees, your suppliers, and their behaviour? What could you do with that information? Often, businesses lack critical insight on their key drivers, and understanding those can open up new opportunities.

3. Action

Pretty charts and graphs make for good reading, but make sure you’re taking action with your new piece of tech. Setting accountability for action from your latest investment will drive your business to achieve a return on that investment and ensure it doesn’t sit on the shelf.

4. Adoption, adoption, adoption

Often, the latest tech trend may seem like a great investment to the motivated few, but look more broadly: if your intended internal target for your new tech fails to adopt the new practice, you won’t achieve the return promised. Also, more likely than not, you’ll frustrate both the key supporters of the new product and those you’re imposing it on.

Innovative technology, particularly in the finance space, can transform the way you do business, but avoid being lured in by solutions that don’t align to your individual needs. Good suppliers should always take the time to give an honest appraisal of whether their product is right for you and should leave you feeling empowered to devote time to what matters most – growing your business.

^[1] HR Solutions, 2022 ^[2] The Guardian, Feb 2023 ^[3] ONS, Dec 2022 ^[4] ONS, Dec 2022 ^[5] Nash Squared Digital Leadership Report, 2022 ^[6] BDO, 2023 [1] The Guardian, Feb 2023 [2] ONS, Dec 2022 [3] ONS, Dec 2022 [4] Nash Squared Digital Leadership Report, 2022 [5] BDO, 2023