Meeting PCI Requirements for Encryption
The Payments Card Industry Data Security Standard (PCI DSS) outlines hundreds of requirements for storing, processing, and transmitting cardholder data. Any business that accepts payments from any of the major card networks must comply with this standard.
One of the primary questions merchants have - and, arguably, one of the most critical components of PCI compliance - is how to meet the detailed encryption requirements.
Two PCI DSS requirements explicitly cover encryption requirements: Requirements 3 and 4. However, encryption is threaded throughout the entire standard.
Encryption for PCI Compliance: Requirements 3 and 4
PCI DSS requirements 3 and 4 contain extensive details on how a company should encrypt cardholder data to achieve compliance.
Requirement 3: Protect stored cardholder data
Encryption, masking, hashing, and tokenization - to name a few - are critical ways to protect account data and are necessary for maintaining compliance. This is because, by properly protecting this data at rest, you can safeguard against it getting into the wrong hands, as its stored form is effectively useless for malicious individuals. The scope extends beyond the storage of PANs and requires secure encryption of additional cardholder and sensitive data such as PINs and passwords.
PCI DSS Requirement 3 outlines these encryption requirements in seven sections:
- Requirement 3.1: Encryption processes are documented.
- Requirement 3.2: Only store account data that is necessary to keep; otherwise don’t store it.
- Requirement 3.3: Do not store sensitive authentication data (SAD) after authorization.
- Requirement 3.4: Restrict access to the PAN, including the ability to copy, paste, and use it.
- Requirement 3.5: Secure PAN wherever it is stored.
- Requirement 3.6: Secure the cryptographic keys used to protect stored account data.
- Requirement 3.7: Implement key management processes and procedures covering all aspects of the key lifecycle.
Learn more about PCI DSS Requirement 3.
Requirement 4: Encrypt transmission of cardholder data across open, public networks
In simple terms, PCI DSS requirement 4 is all about protecting cardholder data while it is traveling across public networks, like the internet. This requires secure transmission routes through wireless networks and encrypting this data with strong encryption methods at all times.
PCI DSS Requirement 4 outlines the encryption requirements for data in transit in two sections:
- Requirement 4.1: Document processes used to protect cardholder data with strong cryptography during transmission over open, public networks.
- Requirement 4.2: PAN must be protected with strong cryptography during transmission.
Learn more about PCI DSS Requirement 4.
Additional Encryption Requirements
PCI DSS lays out a few additional details with guidance that merchants should follow when encrypting cardholder data.
First, not just any level of encryption will suffice to achieve PCI compliance. PCI DSS requires the use of industry-tested and accepted algorithms for encryption, such as 128-bit or higher AES, or triple-length keys for TDES, or other more specific strong encryption methods. This also goes for backups of cardholder data.
Key management practices are also essential for maintaining compliance. Keys must be securely generated, stored, distributed, destroyed, and protected, and they must be managed with strong access controls. Similar to a physical key that you wouldn’t store near the lockbox it unlocks, it is pivotal that these digital access keys are separated from the encrypted data they can decrypt.
Lastly, encryption itself is only partially effective if the solutions are outdated and leave the door open for vulnerabilities. Choosing strong encryption is half the battle, while keeping systems up-to-date with security patches and running regular vulnerability assessments and penetration tests can ensure that any unanticipated weaknesses are identified and remediated promptly.
Encryption Solutions to Meet PCI Compliance
The first step in keeping CHD secure is to use a cardholder data environment to store all the sensitive data. CDEs satisfy many PCI DSS requirements and provide companies greater control and flexibility over their payment stack. However, building and maintaining the necessary infrastructure and programs can require hundreds of thousands of dollars and months to implement and assess. Basis Theory provides the platform, infrastructure, and tools to secure cardholder data in minutes and without these costs and distractions.
As a PCI Level 1 compliant service provider, Basis Theory extends an independently assessed and approved CDE to customers. Combined with a suite of configurable tools, services, and tokens, companies can collect, secure, and share credit cards without bringing their systems into scope. This approach allows companies to avoid the costs and distractions associated with 95% of the requirements in the Payment Card Industry Data Security Standard (PCI DSS) while retaining complete control over their cardholder data.