Retail PCI Compliance

Protect Cardholder Data

Protecting cardholder data, including making cardholder data unreadable to unauthorized people, is the main goal of the PCI DSS. Cardholder data is defined as “any information printed on or stored on a payment card.” This includes digital storage on the magnetic stripe on the back of the card or in a chip embedded on the front of some cards, and the primary account number, cardholder’s name, service code and expiration date.

Requirement #3: Protect stored cardholder data
Protection methods such as encryption, truncation, masking and hashing are critical components of cardholder data protection. If an intruder gets through other network security controls and gains access to encrypted data, without the proper keys, the data is unreadable and unusable. Other effective methods of protecting stored data can include not storing cardholder data unless absolutely necessary, truncating cardholder data if the full primary account number is not needed and not send primary account numbers in unencrypted e-mails.

Ensure applications used in the business prevent prohibited cardholder data such as CVV and AV23 from being stored in system logs, a data warehouse or database
Always make sure the primary account number is unreadable wherever it’s stored
Apply policies necessary to detect all changes made to any computing systems that support front and back-end processes involving credit card processing as well as any computing systems that store cardholder data
Have a workflow that ensures management signs off on approved changes
Have a manual or automated means of reconciling detected changes with authorized changes

Requirement #4: Encrypt transmission of cardholder data across open, public networks
One way that cyber criminals may be able to intercept transmissions of cardholder data is over open, public networks. To help prevent the ability to read data that moves across open, public networks, your data must be encrypted to comply with the PCI DSS. This includes when traveling over the public Internet, other public networks and wireless networks. Examples of open, public networks include the Internet, wireless hot spots, global system for mobile communications, etc.

Use strong cryptography and security protocols such as Secure Socket Layer (SSL) or Transport Layer Security (TLS) to protect sensitive cardholder data during transmission
Use the industry standard best practices, like IEEE 802.11x, to implement strong encryption for authentication and transmission within the security of wireless networks transmitting cardholder data
Use industry standard best practices to implement strong encryption for authentication and transmission

Retail Data Security Home - Contact Us
PCI Compliance 101 Data Security Milestones What Can You Do Today? Life Cycle of a Data Security Breach Data Security e-Newsletter Additional Resources

< Back to PCI Compliance Retail PCI Compliance Protect Cardholder Data Protecting cardholder data, including making cardholder data unreadable to unauthorized people, is the main goal of the PCI DSS. Cardholder data is defined as “any information printed on or stored on a payment card.” This includes digital storage on the magnetic stripe on the back of the card or in a chip embedded on the front of some cards, and the primary account number, cardholder’s name, service code and expiration date. Requirement #3: Protect stored cardholder data Protection methods such as encryption, truncation, masking and hashing are critical components of cardholder data protection. If an intruder gets through other network security controls and gains access to encrypted data, without the proper keys, the data is unreadable and unusable. Other effective methods of protecting stored data can include not storing cardholder data unless absolutely necessary, truncating cardholder data if the full primary account number is not needed and not send primary account numbers in unencrypted e-mails. Ensure applications used in the business prevent prohibited cardholder data such as CVV and AV23 from being stored in system logs, a data warehouse or database Always make sure the primary account number is unreadable wherever it’s stored Apply policies necessary to detect all changes made to any computing systems that support front and back-end processes involving credit card processing as well as any computing systems that store cardholder data Have a workflow that ensures management signs off on approved changes Have a manual or automated means of reconciling detected changes with authorized changes Requirement #4: Encrypt transmission of cardholder data across open, public networks One way that cyber criminals may be able to intercept transmissions of cardholder data is over open, public networks. To help prevent the ability to read data that moves across open, public networks, your data must be encrypted to comply with the PCI DSS. This includes when traveling over the public Internet, other public networks and wireless networks. Examples of open, public networks include the Internet, wireless hot spots, global system for mobile communications, etc. Use strong cryptography and security protocols such as Secure Socket Layer (SSL) or Transport Layer Security (TLS) to protect sensitive cardholder data during transmission Use the industry standard best practices, like IEEE 802.11x, to implement strong encryption for authentication and transmission within the security of wireless networks transmitting cardholder data Use industry standard best practices to implement strong encryption for authentication and transmission

© 2011 Radiant Systems, Inc. All Rights Reserved. Powered by CounterPoint Retail Point of Sale.