Payment Card Industry Data Security Standard (PCI DSS)
Payment Card Industry Data Security Standard (or PCI DSS in short) was developed by credit card companies including Visa, MasterCard, American Express, Discover and JCB, etc as a guideline to help merchants and transaction processing companies to prevent credit card fraud, cracking and various other security vulnerabilities and threats.
Any company which processes, stores, exchanges payment card data must be PCI DSS compliant, otherwise, they risk losing their ability to process credit card payments and being audited and fined.
Version 1.1 of PCI DSS describes 12 requirements that merchants and credit card processing companies need to comply to where Primary Account Number (PAN) has to be securely protected stored and transmitted.
Protect Cardholder Data - The Security Challenge
Requirement 3 - Protect Stored Cardholder Data
||Render PAN, at minimum, unreadable anywhere it is stored (including data on portable digital media, backup media, in logs, and data received from or stored by wireless networks) by using any of the following approaches:
• Strong one-way hash functions (hashed indexes)
• Index tokens and pads (pads must be securely stored)
• Strong cryptography with associated key management processes and procedures.
The MINIMUM account information that must be rendered unreadable is the PAN.
||Protect encryption keys used for encryption of cardholder data against both disclosure and
Requirement 4 - Encrypt transmission of cardholder data across open, public networks
||Use strong cryptography and security protocols such as secure sockets layer (SSL) / transport
layer security (TLS) and Internet protocol security (IPSEC) to safeguard sensitive cardholder data
during transmission over open, public networks.
PCI DSS is laid and established to mandate enterprises to protect privacy of cardholder personal information through effective data security measures. To ensure data integrity, traditional solutions suggest the use of audit trail and logging which are exhaustive and cannot prevent intended alteration acts. Audit trail is often considered resource expensive and relatively unsafe as contents of audit logs can as well be tampered and hacked leaving no traces in unauthorized offence.
To protect data from unwanted disclosure, one might suggest access control and block unauthorized users from reading the sensitive data. However, to administrators and operators who have superuser privileges, they have full access to any system resources even if the resources are not owned by them. Access control to these privileged users means nothing.
Existing security measures cannot protect data from alteration. Statistics showed private enterprises raise their investment by 30% yearly on data security. However, the number of data security incidents grows at the same rate if not exceeding [CERT, IDC, RBCCM 2002].
PricewaterhouseCoopers reported that 50-80% of data attacks are from company insiders. CSI/FBI investigation in year 2002 showed insider attack has caused the industry monetary loss of more than USD 50 million.
Command-based encryption utilities only work with offline archives instead of processing real-time data on-the-fly. They require much operation by administrators and at the end, it is still unsafe. Volume protection is considered transparent, however, it is limited to direct attached storage and is not scalable for enterprise use.
Bloombase created Spitfire security platform to address compliance requirements suggested by PCI DSS to ensure true privacy of credit cardholder information. Spitfire security servers protect encryption and digital signing keys inside hardware security module (HSM) from disclosure and duplication. Spitfire servers encrypt data with NIST certified AES, 3DES and DES cryptographic algorithms and create digital signatures to assure data integrity by international standards including Public Key Infrastructure (PKI), X.509 digital certificates and W3C XML digital signature.
Spitfire SOA server signs financial documents and archives with digital certificates. Digital signature provides evidence to possible alteration of data being signed. Spitfire SOA signs plain data, data files, XMLs, emails and Adobe PDF files. Spitfire SOA server can detect data changes by examining signature value and message digests previously generated against signer's digital certificate. Corporations have assurance over financial data archives and gaurantee data integrity by use of Spitfire SOA server.
Data Confidentiality and Change Resistance
Spitfire StoreSafe protects storage data by strong encryption. Encrypted data appears as garbage and meaningless information to unauthorized users. Intruders will have to pay tremendous efforts to undo the encryption process which is considered technically impossible. Seeing confidential data appeared as corrupted information, trespassers and casual crackers immediately lose their interest and turn away for other plain data to hack with. Disappointment and frustration are the best weapons for hackers as they seek for fun and they do not like spending time on difficult tasks.
Spitfire servers are network based hardware which can easily fit in any enterprise systems and do not invade existing computing infrastructure. Spitfire operates as a network blackbox transferring data between components of a system. Spitfire detects network packets for plain data and encrypt them before sending to data's original destination. As encrypted data pass through Spitfire, Spitfire Cryptographic Engine (SCE) immediately decrypts data and delivers plain data to the next hub. Spitfire gaurantees zero-downtime deployment and works transparently under the covers without applications or users' intervention.
No Single Point of Failure
Mission critical systems require extra high level of service availability. To cope with the ever increasing storage and challenging service requirement of customers, Spitfire servers have prepared for mission critical use as well. Spitfire servers are high availability (HA) ready. Corporations can multiplex Spitfire boxes to run in a cluster. Failure of any single Spitfire appliance will not affect service of the entire cluster.
To address PCI DSS requirements, enterprises should act immediately to secure their customers' credit card data. Bloombase Spitfire Security Platform provides a cost-effective, scalable and secure solution to protect these information and secures your company from business interruptions and unwanted fines. Contact us for more information about Bloombase security solutions.
For more information about PCI DSS, please go to this url http://www.pcisecuritystandards.org/