Payment Card Industry Data Security Standard (PCI DSS) Auditing and Compliance

The PCI DSS standard (www.pcisecuritystandards.org) involves assessment against over 200 tests that fall into 12 general security areas representing six core principles. These PCI DSS tests span a wide variety of common security practices along with technologies such as encryption, key management, and other data protection techniques.

• Failure to comply with PCI DSS compliance requirements can result in fines, increased fees, or even the termination of your ability to process payment card transactions.
• Complying with the PCI DSS cannot be considered in isolation; organizations are subject to multiple security mandates and data breach disclosure laws or regulations. On the other hand, PCI compliance projects can easily be side-tracked by broader enterprise security initiatives.
• Guidance and recommendations linked to PCI DSS requirements include common practices that are likely to be already in place. However some aspects, specifically those associated with encryption, might be new to the organization and implementations can be disruptive, negatively impacting operational efficiency if not designed correctly.
• It is all too easy to end up with a fragmented approach to security based on multiple proprietary vendor solutions and inadequate technologies that are expensive and complex to operate.
• Opportunities exist to reduce the scope of PCI DSS compliance obligations and therefore reduce cost and impact; however, organizations can waste time and money if they do not exercise care to ensure that new systems and processes will in fact be accepted as PCI DSS compliant.

Drawing on decades of experience helping banks and financial institutions comply with industry mandates, Thales eSecurity offers integrated products and services that enable you to protect stored cardholder data, encrypt it for transfer, and restrict access on a need to know basis. In addition, Thales works closely with partners to offer comprehensive solutions that can reduce the scope of your PCI DSS compliance burden.

Thales eSecurity offers comprehensive PCI DSS compliance software solutions that help organizations address the six core principles of PCI DSS:

• Protect cardholder data. Compliance with PCI DSS requires the encryption of cardholder data flowing over public networks and the protection of stored cardholder data. This begins at the transaction. Thales eSecurity payShield HSMs work with leading mobile device payment acceptance (mPOS) solutions as well as leading payments data protection solutions to protect cardholder data and help ensure PCI DSS compliance. Merchant organizations also need to deploy technologies such as Vormetric Transparent Encryption for storage and database encryption, Vormetric Application Encryption, Vormetric Tokenization with Dynamic Masking, and ‘point-to-point’ encryption to protect data at rest and reduce scope.
• Implement strong access control measures. All data protection techniques go hand-in-hand with access controls. Using the Vormetric Data Security Manager and Vormetric Encryption Key Management to control access to unlock encrypted data provides a powerful additional layer of security.
• Regularly monitor and test networks. Control and monitoring of all network access to sensitive data, including that by privileged users, must be underpinned by PCI-compliant audit logs. Vormetric Transparent Encryption provides logging of access at the file-system level, supporting log storage in the Vormetric Data Security Manager, in an organization’s security information and event management (SIEM) system, or in another log collection solution.
• Maintain an information security policy. PCI DSS places great emphasis on establishing a clear separation of duties between staff members to minimize the risk of insider attack. The Vormetric Data Security Manager provides a powerful mechanism to enforce this separation and for creating a trusted record of events to demonstrate compliance.