Protecting Credit Card Data with PCI DSS 3.1 and EMV –-- Now I can Rest Easy ! (NOT !!!!)

Two major events for organizations that process Credit Card information happened this year.

Two major events for organizations that process Credit Card information happened this year. The Security Standards Council released Version 3.1 of the PCI DSS and the EMV chip standard (created by Europay, MasterCard, and Visa, hence the acronym) is being rolled out to a much wider base.

PCI DSS version 3.1 addresses vulnerabilities within the Secure Sockets Layer (SSL) encryption protocol and includes several clarifications such as: - Storage of sensitive authentication data is not permitted “after authorization”. - Where hashed and truncated versions of the same PAN are present in an organization’s environment, additional controls must be in place to ensure that they cannot be correlated to reconstruct the original PAN. EMV is unlike a traditional credit card which stores its information on the magnetic stripe on a card that must be swiped. It has intelligence embedded within a chip that also stores cardholder data. This greatly decreases the risk of those accepting payments. It is a tremendous advance in protection for face to face situations, but does not lessen the need for PCI DSS compliance. It has no effect on the security of the data that is being stored or transmitted. If an organization was to only use EMV, it still would leave cardholder data open for exploitation.   All PCI DSS requirements are designed in part to protect cardholder data. Organizations that accept payment cards often intentionally store cardholder data, but there also may be instances where cardholder data is stored unknowingly. PCI DSS requires these organizations to keep cardholder data storage to the minimum and requires an organization to either mask or otherwise protect personal information. This includes instances where an organization outsources processing or uses independent contractors. The organization remains responsible for ensuring the third parties abide by PCI DSS requirements on its behalf. If the third-party contractor fails to comply with PCI DSS, payment card companies may still hold the organization responsible.   Both PCI DSS and EMV provide additional assistance for all organizations to protect cardholder data. This establishes a base or minimum set of requirements for us to meet. We still cannot rest though. There is still a lot of data out there which is unprotected and much of it is even unknown to our organizations. We have to find where we have these risks and created a plan to address them before we find out about them when they cause a breach.

Joe Santangelo

Information Security Specialist

Delphix Corp @jsantangelo