PCI DSS Compliance: Safeguarding Credit and Debit Card Account Security

High Volume Environment

Credit and debit cards – payment cards, in the language of the industry – have become the primary means of consumer payment. Payment cards are also used for other transactions such as ATM deposits, while payment card account information is used for most online transactions.

The total volume of these card transactions is enormous – tens of millions of transactions each day, with an annual volume in the trillions of dollars. Yet this immense flow of transactions also involves highly sensitive data: individuals' credit and debit card numbers (primary account numbers, or PANs). This information is highly sought-after by criminals, since it can allow them to strip bank accounts or max out credit card accounts undetected.  

Software systems to handle all these transactions must be developed and tested, then upgraded and maintained throughout their life cycle. Even a brief outage would be a major disruption for consumers and firms, perhaps for the entire economy. And development and testing must be carried out with realistic data.

It all adds up to a major security challenge, including a host of compliance issues. These include not only compliance with government regulations, such as the The Gramm-Leach-Bliley Act (GLBA), but also compliance with payment card industry standards.

 

Overview

The Payment Card Industry Data Security Standards (PCI DSS) apply to both card issuers and merchants accepting payments. Formal validation requirements vary, but all firms using cards covered by the system – which includes all major credit and debit cards – must be in compliance. Firms found to be non-compliant are subject to substantial fines, even if no consumer data was actually compromised. If data has been compromised, larger fines are assessed.  

The rules set forth in the PCI DSS apply not only to consumer-facing systems such as terminals at checkout counters. Compliance standards are also in place for back-end operations such as development and testing of payment system software.

These tasks are often outsourced to specialist firms, meaning that the end user (such as a retail merchant taking payment cards) has no direct vetting of the work force involved in designing and testing the payment software. It is therefore crucial that development and testing take place within a framework that ensures data security and PCI DSS compliance.

The combination of volume, required available, and compliance standards adds up to a challenging security environment. Happily, powerful security tools such as Data Masking are available to help firms safeguard their customers' information.

 

Protecting Personal and Financial Data using Data Masking

A growing retailer is upgrading its software for handling customer payments made using payment card (credit or debit card) data, both for in-store and Internet transactions. The new software must be comprehensively tested before it goes online. But the testing program must ensure compliance with PCI DSS rules for protection of cardholder information. In particular:

PCI DSS requirement 6.3.4 specifies that "production data [primary account numbers, or PANs] are not used for testing or development."

The retailer takes proactive measures by adopting a Data Masking solution. Primary account numbers (PANs) and other sensitive customer data are automatically replaced by automatically generated artificial data before datasets are passed out through the security firewall. Application development and testing teams receive only this sanitized data.

Sensitive personal data and account numbers are thus protected throughout the payment software development process. Moreover, the protective measures will allow the retailer to undertake system maintenance and further development with confidence that PCI DSS compliance is already in place.

 

Providing Comprehensive Security

GRT Corporation is committed to security as a complete process, holistic and proactive. Compliance with PCI DSS standards, along with other standards for management of financial data, is ensured by protecting data both "at rest" and "in motion." Strong firewall and checkpoint protection safeguards your firm's sensitive customer data against both deliberate attack and inadvertent exposure.

 

Contact us to ease your compliance burden now