PCI DSS Compliance Requirements Three And Four

PCI DSS compliance is a requirement for every company that stores, processes, or transmits sensitive credit card data. As more and more consumers are made aware of the dangers of identity theft and the ensuing problems when a criminal gets a hold of their credit card data, they will demand more and more security. The PCI DSS was created to help merchants institute the kind of security needed to protect consumers' information.

PCI DSS compliance, however, is not a simple or cheap process. It requires constant maintenance and a large initial investment of time and resources. The question the becomes: is it all, worth it?

The simple answer is yes. And while, of course, you could say it is worth it due to the penalties and fines involved with not becoming PCI compliant, it is actually more than that. An analysis of some of the requirements will show how they are not only necessary procedures, but they are also very foundational items for real security procedures.

The third and forth requirements of PCI DSS compliance are all about protecting cardholder data. Requirement number 3 states, in fact, that you must... well... protect cardholder data. This seems like a very generalized statement on the surface, but it actually involves some very specific procedures.

Encryption is a big part of this requirement. You should never leave any sensitive information on your system in a form that anyone can read. If anyone should happen to get past your other network defenses, all they should be able to find is a lot of digital nonsense.

Some basic rules that go along with this include: not storing anything on your system you don't absolutely need. After all, if you don't have it, they can't steal it. You should have a retention and disposal policy in place, as well. Keep only what you need for business and legal purposes, and destroy it once its usefulness has passed.

You must never store authentication data at all - encrypted or not. This includes magnetic strip data, validation codes or values, and PIN data. There is simply no reason to store this data. So don't.

If for some reason a personal account number must be displayed somewhere, then it must be masked. It must be rendered unreadable where it is stored, and if it is shown on receipts or other items, most of the numbers must be hidden.

Of course, just encrypting something isn't enough. Someone could break the encryption, so it is also vitally important that the encryption keys are strong and well protected. You must restrict access to the keys to as few people as possible, and store them in as few places as possible. This way your keys don't get misplaced, lost, or wind up in the wrong hands. You must also periodically change the keys and be particularly careful about destroying old keys and revoking old or invalid ones.

Requirement four states that you must encrypt transmission of cardholder data across open, public networks. Again, this is one of those requirements that should seem obvious, yet the TJX breach (one of the largest in history) happened because hackers were able to take advantage of some problems in their network. And everything they got was easily readable because they transmitted data across their networks that was not encrypted.

Therefore, you must use strong cryptographic and security protocols such as Secure Sockets Layer (SSL), Transport Layer Security (TLS), and Internet Protocol Security (IPSEC). You must also be sure that your wireless communications are also especially protected.

These are only two of the twelve requirements, but they are certainly two of the more important. If you're truly looking for long term success then you must have your clients' best interests in mind. The new business environment that we currently work in is hyper-fast paced and continually evolving. The criminals are, unfortunately, evolving just as fast, and your security must be able to keep up.

That is what PCI DSS compliance is about: developing a security system that can keep up with the times. Protecting cardholder data is the cornerstone of all your future security endeavors.

Andy Eliason is a writer at Main10, Inc. If you'd like to learn more about PCI DSS compliance, or the PCI DSS requirements, visit Braintree Payment Solutions today.