15-12-2009, 06:53 PM
Payment Card Industry Data Security Standard (or PCI DSS in short) was developed by credit card companies including Visa, MasterCard, American Express, Discover and JCB, etc as a guideline to help merchants and transaction processing companies to prevent credit card fraud, cracking and various other security vulnerabilities and threats.Each founding member also recognizes the Qualified Security Assessors and Approved Scanning Vendors qualified by the PCI SSC to assess compliance with the PCI DSS.
Protect Stored Cardholder Data
The account information and PAN number must be rendered unreadable through:
-hashed indexes
-Strong cryptography
-Index tokens and pads
-Truncation
Encrypt transmission of cardholder data across open, public networks
Use SSL, IPSEC, TLS protocols to safeguard sensitive card holder data during transmission over open networks.
To provide these services, the companies conduct code reviews for all their Web applications, or install an application-level firewall. traditional solutions suggest the use of audit trail and logging. To prevent unauthorised reading of data, one can implement access control and block unauthorized users from reading the sensitive data, but these data are available to the system administrators.Command-based encryption utilities only work with offline archives.
Modern proprietary systems protect encryption and digital signing keys inside hardware security module (HSM) from disclosure and duplication. they may encrypt data with NIST certified AES, 3DES and DES cryptographic algorithms and create digital signatures to assure data integrity.Digital signature prevents and provides evidence to alteration of data being signed.