Protecting cardholder data in e-Commerce transactions
Introduction
The cardholder data gathered during these transactions is commonly stored in databases, which, over time, can accumulate thousands of credit card accounts and become prime targets for fraud and theft.
With the rising incidence of threats to consumer data, and increasing requirements to protect that data, merchants must focus on their security infrastructure. Regulations have been implemented not only by the government, but by the credit card industry as well. Companies are compelled to prove their compliance with these regulations and will be held liable for their failure to do so.
Many of the world’s largest companies, from an array of industries media, networking, financial, pharmaceutical, digital media, manufacturing, and government have been utilising encryption technologies to protect communications, intellectual property, and digital identities.
Compliance Requirements
In an effort to protect the consumer from the threats associated with e-commerce transactions, a wide array of regulations have been put into place.
Companies that conduct business online are feeling the pressure to comply with a common set of security requirements established by the major credit card companies, as well as governmental regulations to protect personal consumer information in general.
The Payment Card Industry (PCI) Data Security Standard was developed through collaboration with Visa and MasterCard in an effort to create common industry security requirements. This standard consists of six basic requirements:
Build and Maintain a Secure Network
Protect Cardholder Data
Maintain a Vulnerability Management Program
Implement Strong Access Control Measures
Regularly Monitor and Test Networks
Maintain an Information Security Policy
Building a Foundation for Protection and Compliance
One of the fundamental security requirements defined by payment card issuers is the use of cryptographic Hardware Security Modules (HSMs) to secure cryptographic keys. And there is no greater need for secure key management than with financial transactions, such as Internet-based purchases and payments.
Keys are the core of encryption-based security. They are used to encrypt and decrypt data, such as credit card numbers. Once an unauthorised person has access to your private keys, all encrypted data protected by those keys is at risk. So it stands to reason that protecting the keys is a vital component of protecting the data.
Companies assume a certain degree of risk when they choose to store these valuable keys in unsecured locations, such as Web or database servers, which can be vulnerable for many reasons, such as access by multiple users and lagging security updates.
To achieve the highest level of protection possible, companies must implement both physical security and comprehensive key management. The hardware on which keys are stored must be tamper-resistant to provide the strongest possible defense against intrusion. Operational controls must employ strict security standards to prevent unauthorised access and administration. For optimal protection, keys should be stored on a dedicated, centralised appliance that is wrapped in multiple levels of security.
Summary
With the steady rise in occurrences of data theft, and the growing number of regulations instituted to protect the consumer’s private information, businesses are compelled to implement stringent security measures to protect the sensitive data of their customers. These measures apply not only to how this data is protected, but how that protection is managed.
Regulations mandate that merchants must encrypt the transmission of cardholder data and personal information across public networks. Only through comprehensive key management can the full benefit of encryption security be realised.
HSMs incorporate features developed through extensive operational experience, implementing best practices in hardware, software, and operations that make deployment as easy as possible.
By Vince Lee, Regional Manager, SafeNet Australia and New Zealand