PCI Compliance

Learn How Prime Factors Can Help You Become PCI Compliant

PCI Compliance

The Payment Card Industry Data Security Standards (PCI DSS or PCI) is intended to help you proactively protect customer account data. It is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures.

Prime Factors' newest product, EncryptRIGHT®, was designed to meet PCI requirements, and more. It lets you secure cardholder data resting in databases, business applications and customer facing applications. EncryptRIGHT supports the latest in best practices for implementing enterprise-wide encryption and centralized key management. You can use EncryptRIGHT to encrypt individual data items such as names, salary amounts, accounts numbers, SSNs, PINs, image files, and passwords, as well as group items such as credit card information and electronic funds transfer (EFT).

EncryptRIGHT also helps you implement end-to-end encryption, which is currently a topic of hot debate in PCI circles, sparked by recent high-profile data breaches. While Visa, MasterCard, Discover and others responsible for the PCI standard maintain that it is adequate, some, like payments processor Heartland Payment Systems, aren't so sure. Heartland has formed an internal department dedicated to implementing end-to-end encryption to protect merchant and consumer data used in financial transactions. Heartland experienced a serious breach in January, 2009.

"PCI is a good and effective standard, but the bad guys have become more sophisticated to the point where encryption of data in motion appears to be one of the next required steps," said Robert O. Carr, Heartland's chairman and chief executive officer.

"There is no single "silver bullet" that will secure payment systems, and constant vigilance and monitoring of the infrastructure will always be required. Nevertheless, I believe the development and deployment of end-to-end encryption will provide us the ability to implement increasing levels of security protection as they become needed."

Even though PCI compliance is no guarantee of 100% protection, the requirements provide a health check for any business that stores or transmits customer information. By adhering to the standards, you maintain customer trust and safeguard the reputation of your brand. Most importantly, you improve your chances of insulating your company from financial losses and remediation costs associated with data loss or theft. In 2008, the cost per record breached was $202, according to the Phonemon Institute, and the cost of lost business was $139 per record.

Six of the 12 PCI security requirements address encryption and key management, and EncryptRIGHT helps you comply with them all (in bold below):

Install and maintain a firewall configuration to protect cardholder data.
Do not use vendor-supplied defaults for system passwords and other security parameters.
Protect stored cardholder data.
Encrypt transmission of cardholder data across open, public networks.
Use and regularly update anti-virus software.
Develop and maintain secure systems and applications.
Restrict access to cardholder data by business need-to-know.
Assign a unique ID to each person with computer access.
Restrict physical access to cardholder data.
Track and monitor all access to network resources and cardholder data.
Regularly test security systems and processes.
Maintain a policy that addresses information security.

The other requirements relate to policies, procedures and network architecture and should be addressed separately from your EncryptRIGHT security solution.

This document presents a requirement-by-requirement evaluation of how EncryptRIGHT meets PCI requirements.

For additional practical information about PCI DSS try the PCI Security Standards Council website.

back to overview