Learn how to protect stored and transmitted card data.
|By: George Mateaki|
These are all questions that can be related to PCI Requirement 4.
This requirement covers secure data transmission, especially when doing it over open and public networks. Businesses should be aware of how their card data is transmitted and through which networks.
Here are some things to keep in mind when fulfilling PCI Requirement 4.
Keep track of your PANYou need to identify where you send cardholder data. Information like Primary Account Numbers (PAN) and magnetic stripe data should be stored securely and encrypted. Some common places PAN is sent include:
- Backup servers
- Third parties that store/handle PAN
- Outsourced management of systems
- Corporate offices
Stop using SSL/TLS where possibleThe PCI SSC released a policy that states you should transition from SSL to early TLS to secure versions of TLS by June 30, 2018.
If your business is using SSL/TLS, you should stop and update as soon as possible. These latest versions of web coding have several vulnerabilities. You should contact your terminal providers, gateways, service providers, and acquiring bank to see if the applications and devices you use have this encryption protocol. Applications that use SSL/TLS may include:
- Virtual payment terminals
- Back-office servers
- Web/application servers
- Upgrade to a current, secure version of TLS configured not to accept fallback to SSL or early TLS
- Encrypt data with strong cryptography before sending over SSL/early TLS (i.e., use field-level or application-level encryption to encrypt data prior to transmission)
- Set up a strongly-encrypted session first (e.g., IPsec tunnel), then send data over SSL within the secure tunnel
- Check firewall configurations to see if SSL can be blocked
- Check that all application and system patches are up-to-date
- Check and monitor systems to ID suspicious activity that may indicate a security issue
SEE ALSO: DROWN Attack and SSL: What You Need to Know
Additional tipsHere are a few other things to consider when fulfilling Requirement 4:
- Secure wireless network: make sure not just anyone can get into your wireless and make sure all endpoints are secure
- Update keys and certificates: make sure your security certificates are up to date and your encryption keys are also properly protected
- Work with your service providers: you want to ensure they are also following proper procedures to make sure your data is safe
- Train employees: make sure your employees are aware of what should be updated and what types of web encryption shouldn’t be used anymore
Need help getting PCI compliant? Let’s see how you’re doing so far!
George Mateaki (CISSP, CISA, QSA, PA-QSA) is a Security Analyst at SecurityMetrics with an extensive background in Information Security and 20+ years in IT.