Payment Card Industry Data Security Standards
The Payment Card Industry Data Security Standard (PCI DSS) is a set of industry-mandated security requirements for credit and debit card transaction processing. PCI DSS applies to stores, online retailers, and other organizations, and covers a broad range of security topics including network configuration, data protection, internal control, and policy development.
A council composed of major credit card corporations is responsible for maintaining PCI DSS requirements. While compliance is not mandated by United States federal law, some state laws require that payment processors comply with PCI DSS or similar standards.
Any organization that processes credit or debit card transactions, or that transmits or stores any form of cardholder data, is required to comply with PCI DSS. Specific obligations can vary based on an organization’s transaction volumes. Merchants processing several million transactions per year, for example, are subject to more frequent and more rigorous compliance assessments than smaller merchants. However, all organizations must meet high standards for protection of cardholder data:
- PCI DSS Requirement 3.4 states that an account number should be rendered “at a minimum, unreadable anywhere it is stored.” The requirement emphasizes that encryption is a critical component of cardholder data protection and that strong cryptography with key management is recommended."
- Requirement 4.1 states that strong cryptography should be used to “safeguard sensitive cardholder data during transmission over open, public networks.”
- Requirement 4.2 states that cardholder data should never be sent in an unencrypted email.
Organizations that fail to meet PCI DSS requirements are subject to a range of penalties including fines, increased transaction fees, and cancellation of processing privileges.
Meet PCI DSS Requirements with Smartcrypt
PKWARE’s Smartcrypt platform allows organizations to protect cardholder data with strong encryption, satisfying several PCI DSS requirements.
Smartcrypt applies persistent data-level protection, using AES strong encryption (up to 256-bit) that exceeds PCI DSS requirements. Encrypted information remains unreadable by unauthorized users, even in the event of a security breach. With Smartcrypt, even the most sensitive information can be sent via open, public networks without additional layers of protection. Smartcrypt encryption meets the enhanced PCI DSS requirements for data transmission that took effect in July 2016.
The integration of ZIP compression with strong security not only ensures that information is secure, but it enables portability and efficient exchange of information across all major enterprise computing platforms.
PKWARE’s innovative Smartkey technology automatically generates, synchronizes, and exchanges encryption keys according to your organization’s security policies, making the process automatic for end users. Smartkeys can be managed using Smartcrypt’s administration console and can be stored on third-party dedicated key management appliances.