Home Regulations PCI DSS

Message

How can KOM Networks Help Meet your Compliance Needs?
phone

+1 (613) 599-7205
+1 (888) 556-6462
+1 (800) 599-7205

phone

Learn More
contact

Contact

PCI DSS

PCI DSS applies wherever account data is stored, processed or transmitted.

Account Data consists of Cardholder Data and Sensitive Authentication Data. The Primary Account Number (PAN) - a component of Cardholder Data - is the defining factor in the applicability of PCI DSS requirements.

Cardholder Data includes – Personal Account Number (PAN), Cardholder Name, Expiration Date, Service Code. Sensitive Authentication Data includes – Full magnetic stripe data or equivalent on a chip, CA V2/CVC2/CVV2/CID, PINs/PIN blocks.

Requirement 3.2 bars storage of Sensitive Authentication Data. Requirements 3.3 and 3.4 apply to Personal Account Number (PAN).

Penalties:

Some state laws allow banks to recover costs and damages from retailers and credit card processors that suffer data breaches resulting from a failure to comply with PCI standards.

 

KOMpliance and PCI DSS Security Standards Requirements

Standard Summary of Requirements Solutions
Protect stored cardholder data Requirement 3.1.1 - Implement a data retention and disposal policy that includes:
  • Limiting data storage amount and retention time to that which is required for legal, regulatory, and business requirements
  • Processes for secure deletion of data when no longer needed
  • Specific retention requirements for cardholder data
  • A quarterly automatic or manual process for identifying and securely deleting stored cardholder data that exceeds defined retention requirement
 KOMworx® and KOMpliance® Solution
Policy-based data retention and disposal rules enable compliance with PCI 2.0 DSS Requirement 3.1.1.
Retention periods are configurable for individual data types.
You are notified when configured Retention periods expire.
Secure Data Shredding prevents any possibility of deleted data being recovered.
Render Primary Account number (PAN) unreadable anywhere it is stored Requirement 3.4 - Render PAN unreadable anywhere it is stored (including on portable digital media, backup media, and in logs) by using any of the following approaches:
  • One-way hashes based on strong cryptography (hash must be of the entire PAN)
  • Truncation (hashing cannot be used to replace the truncated segment of PAN)
  • Index tokens and pads (pads must be securely stored)
  • Strong cryptography with associated key-management processes and procedure

PCI DSS Note: It is a relatively trivial effort for a malicious individual to reconstruct original PAN data if they have access to both the truncated and hashed version of a PAN. Where hashed and truncated versions of the same PAN are present in an entity‘s environment, additional controls should be in place to ensure that the hashed and truncated versions cannot be correlated to reconstruct the original PAN.

 KOMworx® and KOMpliance® Solution
AES-256 block cipher encryption exceeds PCI DSS (AES-128) specification for strong cryptography.
Restrict physical access to cardholder data Requirement 9.5 - Store media back-ups in a secure location, preferably an off-site facility, such as an alternate or back-up site, or a commercial storage facility. KOMworx® and KOMpliance® Solution
Files protected with eWORM++ are written and stored on hard disk while backup archive copies are automatically and concurrently written to and maintained on write-once WORM storage devices.
These devices can be located on-site and at remote locations.
Destroy media when it is no longer needed for business or legal reasons Requirement 9.10.2 - Render cardholder data on electronic media unrecoverable so that cardholder data cannot be reconstructed. KOMworx® and KOMpliance® Solution
Secure Data Shredding ensures that cardholder data cannot be recovered once it is deleted.
Secure audit trails so they cannot be altered Requirement 10.5 - Secure audit trails so they cannot be altered
10.5.2 - Protect audit trail files from unauthorized modifications.
10.5.3 - Promptly back up audit trail files to a centralized log server or media that is difficult to alter.
10.5.5 - Use file-integrity monitoring or change-detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert).		 KOMworx® and KOMpliance® Solution
The creation and logging of the Audit information is the sole responsibility of third party applications.
Support data replication and duplication to duplicate media.
The file creation and modification dates are readily accessible and can be easily audited to validate and confirm when the data was inputted into the volume.
All audit information committed to the archive volumes will be retained according to the assigned retention policies.
Retain audit trail history Requirement 10.7 - Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis (for example, online, archived, or restorable from back-up). KOMworx® and KOMpliance® Solution
All audit information committed to the archive volumes will be retained according to the assigned retention policies.

Additional Information:

https://www.pcisecuritystandards.org/

 

Copyright © 2013, KOM Networks, Inc.