Highlights

Compliance Solutions

How to Guides

Compatibility

Be sure to visit our Resource Center for a complete listing of materials available.

How To Guides

Ensuring Compliance with Credit Card Security Policies

Merchants, data processors, and any other vendors that manage credit card holder data today must adhere to strict policies for ensuring that data is secure at all times. Whether they’re working with American Express, Discover, MasterCard, Visa, or any other credit card vendor, these organizations must comply with the Payment Card Industry (PCI) Data Security Standard. As a result, they face steep penalties, including fines and lost business, if sensitive account data is stolen.

Ingrian Networks® offers a key solution for meeting and exceeding PCI policies regarding the protection of data within the enterprise, and so ensuring the utmost security of card holder data.

To learn more, we encourage you to view the following documents:

Achieving Data Privacy with Ingrian

Ingrian DataSecure® Platforms deliver sophisticated capabilities for encrypting sensitive data in databases and applications. These products feature granular encryption, seamless integration, and centralized security management—enabling organizations to eliminate an array of critical security threats, with unprecedented ease and cost effectiveness. With DataSecure, enterprises can secure the critical data that matters most to their business, including credit card numbers, social security numbers, and other critical, personally identifiable records.

Following are a few key areas of credit card vendor security requirements and an overview of how Ingrian addresses them.

Protecting Data Privacy with Comprehensive Encryption

Encrypting sensitive data at rest is one of the keys to achieving compliance with credit card security policies. According to the PCI guidelines, here’s why:

“Encryption is the ultimate protection mechanism because even if someone breaks through all other protection mechanisms and gains access to encrypted data, they will not be able to read the data without further breaking the encryption. This is an illustration of the defense in depth principle.”1

Each of the issuer programs offer specific guidance with respect to encryption, and specifically encryption of data at rest. For example, American Express states that processors must, “Encrypt all stored payment data using triple DES encryption.” MasterCard’s E-commerce Self-Assessment Requirements feature a section on database security, stating…

“Applications and databases must store all sensitive cardholder details in an encrypted form. The keys used to encrypt the data must be of sufficient strength, based on current industry standards, such as 128-bit triple Data Encryption Standard (DES) or other algorithm.”

Visa’s CISP rules include mandating that passwords are encrypted, and that cardholder data is encrypted by…3

“one-way cipher (hash indexes) such as SHA-1 (not MD5), Truncation, Simple ciphers, index tokens and PADS, strong cryptography such as PGP or Triple-DES with associated key management processes and procedures.”4

Finally, Discover mandates that “Card data that is stored and/or transmitted must be done so in an encrypted fashion.” 5

DataSecure® platforms offer granular, field-level encryption capabilities that enable organizations to select and secure specific pieces of data, such as credit card numbers or account numbers. DataSecure platforms support a range of sophisticated encryption protocols, including Triple-DES, RSA, and AES.

1 Payment Card Industry Data Security Standard
2 American Express Data Security Standards
3  MasterCard Security Standard Applicable to Merchants and Member Service Providers, April 2003
4 Visa’s Cardholder Information Security Program Compliance Questionnaire
5 Discover DISC Program