Learn How To Become PCI Compliant

The Payment Card Industry Data Security Standards (PCI DSS or PCI) is intended to help you proactively protect customer account data. PCI is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures.

The standard was created to help companies that process card payments prevent credit card fraud through increased controls around data and its exposure to compromise. It applies to all organizations that hold, process, or exchange cardholder information. Validation of compliance can be performed either internally or externally, depending on the volume of card transactions, but regardless of size, compliance must be assessed annually.

From an encryption standpoint, PCI does not provide much guidance. The basic requirement is to use "strong cryptography," but there are lots of algorithms, dozens of tools, and many ways to deploy each of them. Strong cryptography is often misapplied as the security model is inappropriate for the business use case. The wrong choice leaves data accessible in clear text, resulting in wasted investment and persistent vulnerabilities.

So which encryption method is the best way to achieve PCI encryption compliance? Which options provide security yet keep costs and complexity under control? Data Encryption 101: Pragmatic Guide to PCI-DSS Requirements, is an unbiased, educational white paper intended to help you determine the right encryption compliance strategy for your situation.

The white paper makes a strong case for implementing application level encryption when the business case justifies it. That’s one of many ways EncryptRIGHT® can help you achieve PCI compliance for data encryption and key management.

EncryptRIGHT comes bundled with key management, secure audit logs and predefined PCI reporting capabilities. Standard reports are designed to satisfy your Qualified Security Assessor (QSA), and help you pass your PCI audit. Comprehensive central key management insures that you comply with PCI key management requirements for key generation, distribution, storage, rotation and replacement. An optional tokenization module reduces the scope and cost of a PCI audit.  EncryptRIGHT includes:

  •     PCI-approved cryptography and key management for one price
  •     Reports and audit trails for assessment and verification processes
  •     Broad platform support from PC to mainframe
  •     A simple desktop application, or API for application integration
  •     Field, file, database and application-level encryption
  •     Support for many different development environments
  •     Guides help you get running quickly

Six of the 12 PCI security requirements address encryption and key management, and EncryptRIGHT helps you comply with all six (in bold below):

  1. Install and maintain a firewall configuration to protect cardholder data.
  2. Do not use vendor-supplied defaults for system passwords and other security parameters.
  3. Protect stored cardholder data.
  4. Encrypt transmission of cardholder data across open, public networks.
  5. Use and regularly update anti-virus software.
  6. Develop and maintain secure systems and applications.
  7. Restrict access to cardholder data by business need-to-know.
  8. Assign a unique ID to each person with computer access.
  9. Restrict physical access to cardholder data.
  10. Track and monitor all access to network resources and cardholder data.
  11. Regularly test security systems and processes.
  12. Maintain a policy that addresses information security.

The other requirements relate to policies, procedures and network architecture. This page presents a requirement-by-requirement evaluation of how EncryptRIGHT meets PCI encryption and key management requirements. For additional practical information about PCI DSS try the PCI Security Standards Council website.