Payment Card Industry Data Security Standard (PCI DSS) Auditing and Compliance

Any business that transmits, processes or stores cardholder data must comply with the PCI DSS. Thales eSecurity can help simplify the PCI DSS compliance effort

Global Map

Mandate

Active now

PCI DSS Requirements

Merchants, banks, payment service providers, and other parties that play a role in processing credit and debit card payments must protect the privacy of account data—both to meet core business goals and to fulfil obligations under the Payment Card Industry Data Security Standard (PCI DSS). The standard defines strict compliance requirements for the processing, storage, and transmission of account data. PCI DSS compliance must be validated periodically, and failure to comply can result in fines or even the termination of the ability to process card payments.

Thales eSecurity can help organizations working with cardholder data to comply with several aspects of PCI DSS compliance, including those relating to data encryption, access control, authentication, monitoring and auditing.

PCI DSS

Download our PCI Compliance & Data Protection for Dummies book.

Check out our Top 10 keys to PCI DSS success.

Check out our Top 10 actions to avoid common PCI DSS pitfalls.

Over 200 Tests against Six Core Principles

The PCI DSS standard (www.pcisecuritystandards.org) involves assessment against over 200 tests that fall into 12 general security areas representing six core principles. These PCI DSS tests span a wide variety of common security practices along with technologies such as encryption, key management, and other data protection techniques.

Risks Associated with PCI DSS Auditing and Compliance
  • Failure to comply can result in fines, increased fees, or even the termination of your ability to process payment card transactions.
  • Complying with the PCI DSS cannot be considered in isolation; organizations are subject to multiple security mandates and data breach disclosure laws or regulations. On the other hand, PCI compliance projects can easily be side-tracked by broader enterprise security initiatives.
  • Guidance and recommendations linked to PCI DSS requirements include common practices that are likely to be already in place. However some aspects, specifically those associated with encryption, might be new to the organization and implementations can be disruptive, negatively impacting operational efficiency if not designed correctly.
  • It is all too easy to end up with a fragmented approach to security based on multiple proprietary vendor solutions and inadequate technologies that are expensive and complex to operate.
  • Opportunities exist to reduce the scope of PCI DSS obligations and therefore reduce cost and impact; however, organizations can waste time and money if they do not exercise care to ensure that new systems and processes will in fact be accepted as compliant.
An Integrated Compliance Solution

Drawing on decades of experience helping banks and financial institutions comply with industry mandates, Thales eSecurity offers integrated products and services that enable you to protect stored cardholder data, encrypt it for transfer, and restrict access on a need to know basis. In addition, Thales works closely with partners to offer comprehensive solutions that can reduce the scope of your compliance burden.

Addressing the Six Core Principles of PCI DSS

Thales eSecurity offers comprehensive solutions that help organizations address the six core principles of PCI DSS:

  • Protect cardholder data. Compliance requires the encryption of cardholder data flowing over public networks and the protection of stored cardholder data. This begins at the transaction. Thales eSecurity nShield and payShield HSMs work with leading mobile device payment acceptance (mPOS) solutions as well as leading payments data protection solutions to protect cardholder data and help ensure PCI DSS compliance. Merchant organizations also need to deploy network encryption and SSL/TLS encryption for protecting data in transit and technologies such as Vormetric Transparent Encryption for storage and database encryption, Vormetric Application Encryption, Vormetric Tokenization with Dynamic Masking, and ‘point-to-point’ encryption to protect data at rest and reduce scope.
  • Implement strong access control measures. All data protection techniques go hand-in-hand with access controls. Cryptographic technologies such as PKI and digital certificates are widely used to go beyond password-grade security for authenticating users and systems. Furthermore, using the Vormetric Data Security Manager and Vormetric Encryption Key Management to control access to data decryption keys so as to unlock encrypted data only on a “need to know” basis provides a powerful additional layer of security.
  • Build and maintain a secure network. In addition to network level encryption, an essential component of network security is the strong authentication of network devices; digital credentials are increasingly employed at the device level to control network access and are an important security consideration for a corporate PKI.
  • Regularly monitor and test networks. Control and monitoring of all network access to sensitive data, including that by privileged users, must be underpinned by PCI-compliant audit logs. Vormetric Transparent Encryption provides logging of access at the file-system level, supporting log storage in the Vormetric Data Security Manager, in an organization’s security information and event management (SIEM) system, or in another log collection solution.
  • Maintain a vulnerability management program. The rise of advanced persistent attacks that attempt to corrupt business applications by injecting malware has brought the use of digital signatures and code signing into focus as a way to prove the integrity and authenticity of business systems and application software.
  • Maintain an information security policy. PCI DSS places great emphasis on establishing a clear separation of duties between staff members to minimize the risk of insider attack. The Vormetric Data Security Manager provides a powerful mechanism to enforce this separation and for creating a trusted record of events to demonstrate compliance.

eBooks : PCI Compliance & Data Protection for Dummies

If your business relies on card payments and faces the challenge of maintaining ongoing compliance with PCI DSS, this book is for you. It explains the requirements for protecting account data, controlling access to the data and the associated monitoring and logging activities that you need to adopt. Ultimately the book acts as a valuable and practical reference guide that you can come back to time and again to assist with your ongoing compliance and help you avoid the common pitfalls that can lead to serious data breaches or failed audits.

Download

Research and Whitepapers : Using Encryption and Access Control for PCI DSS 3.0 Compliance in AWS

Compliance and security continue to be top concerns for organizations that plan to move their environment to cloud computing. Besides that, achieving PCI compliance is not a simple task....

Download

Research and Whitepapers : Vormetric Data Security: Complying with PCI DSS 3.0 Encryption Rules

This white paper outlines how to use Vormetric Transparent Encryption to meet PCI DSS 3.0 Requirements with Data-at-Rest Encryption, Access Control and Data Access Audit Logs in traditional server, virtual, cloud and big data environments....

Download

Research and Whitepapers : Fortrex: Evaluation of the Vormetric Token Server

Fortrex Qualified Security Assessor (QSA) evaluated the Vormetric Token Server, and determined when properly implemented and configured within a secured cardholder environment, it can reduce the scope of the systems included in the scope of a PCI DSS assessment. They also qualified that the solution can be leveraged to tokenize other sensitive data within a corporate environment. Fortrex detailed their evaluation process in their white paper, Evaluation of the Vormetric Token Server.

Download

Other key data protection and security regulations

GDPR

GDPR Thumbnail

Regulation

25 May 2018

Perhaps the most comprehensive data privacy standard to date, GDPR affects any organisation that processes the personal data of EU citizens - regardless of where the organisation is headquartered.

Learn More

PCI DSS

GDPR Thumbnail

Mandate

Active Now

Any organisation that plays a role in processing credit and debit card payments must comply with the strict PCI DSS compliance requirements for the processing, storage and transmission of account data.

Learn More

Data Breach Notification Laws

eIDAS

Regulation

Active now

Data breach notification requirements following loss of personal information have been enacted by nations around the globe. They vary by jurisdiction but almost universally include a “safe harbour” clause.

Learn More
Contact a Compliance Specialist Contact Us
Are you fit for GDPR Take our readiness assessment now
Read the Compliance and Regulations Solutions Handbook Read the eBook

Related Solutions

The Vormetric Data Security Platform

The Vormetric Data Security Platform products from Thales e-Security make it efficient to manage data-at-rest security across your entire organization.

Learn More

Vormetric Transparent Encryption

Vormetric Transparent Data Encryption from Thales e-Security provides enterprise encryption and key management to secure any file, any database, and application in physical, virtual and cloud environments.

Learn More

Vormetric Key Management

Vormetric Enterprise Key Management from Thales e-Security secures and manages encryption keys across the enterprise.

Learn More
Vormetric Encryption delivers what we need it to do – without any fuss or drama – knowing it’s in place is one less thing to worry about. Albert AvilaBusiness Solutions Specialist, Fujitsu America, Inc.

As a global payment solutions and commerce enablement leader, Verifone’s strategy is to develop and deploy “best in class” payment solutions and services that meet or exceed global security standards and help our clients securely accept electronic payments across all channels of commerce. We… Joe Majka,Chief Security Officer

The Vormetric solution not only solved all of our encryption needs but alleviated any fears of the complexity and overhead of managing the environment once it was in place. Joseph Johnson,chief information security officer CHS
My concern with encryption was the overhead on user and application performance. With Thales e-Security, people have no idea it’s even running. Karl MudraCIO
Delta Dental of Missouri
Vormetric’s approach of coupling access control with encryption is a very powerful combination. We use it to demonstrate to clients our commitment to preserving the security and integrity of their test cases, data and designs. David VargasInformation Security Architect
Cadence Design Systems
Implementing Vormetric has given our own clients an added level of confidence in the relationship they have with us; they know we’re serious about taking care of their data. Audley Deansenior director of Information Security,
BMC Software
There is absolutely no noticeable impact on the performance or usability of applications. I am very excited at how easy the solution is to deploy and it has always performed flawlessly. Christian MuusDirector of Security for Teleperformance EMEA
Thales e-Security is our standard. Whenever an encryption solution is needed, the answer is always, ‘let’s start with Thales e-Security. Damian McDonaldVice President of Global Information Security, Becton, Dickinson and Company
Watch our interactive demo Explore
Schedule a live demo Schedule
Get in contact with a specialist Contact us