Different techniques available for protecting card data
The PCI DSS ( or the Payment Card Industry Data Security Services ) standard is one of the hottest topics around and has been for the past 15 years due to the rise of payment card related fraud.
PCI DSS remains one of the more technical standards around with 12 requirements covering all aspects of data security. In this post, I want to focus on the primary requirement which concerns itself with protecting cardholder data which is Requirement 3.
The heart of the PCI DSS standard has always been Requirement 3: Protect Cardholder data which provides requirements on how customers should go about protecting card data wherever it is stored, processed or transmitted.
In my own experience of handling many PCI DSS audits, this is the area where a lot of companies make mistakes when working with cardholder data.
PCI DSS is very clear about what you CAN and CAN NOT store and not following requirement 3 can be the difference between a failed and a successful PCI audit
PCI DSS requirement 3 deals with the protection of cardholder data whether it is displayed on screens, printouts, or being stored in files, databases, etc.
It provides several ways of accomplishing this which are listed below
- One Way hashing
Lets take a look at each of them below
Masking is a method of concealing a segment of a primary account number (PAN) which is basically the 16-digit card number; when displayed or printed (for example, on paper receipts, reports, or computer screens), and is used when there is no business need to view the entire PAN.
Even if you have full PAN stored in the system, you can use masking to conceal digits during display or printing ( Usually the first 6 and the last 4 digits can be shown )
Truncation as the name says, simply truncated or removes a segment of the PAN and makes it unreadable. This usually applies to PANs that are stored in files, databases or storage and makes them pretty much unusable for future transactions.
Hashing refers to applying a one-way, cryptographic process and turns a PAN into a different unique string or “hash”. You cannot recover the PAN from the one-way hash and the slightest change in the PAN yields a different hash which makes it a great control for detecting changes.
Hashing is great for protecting stored PANs but like truncation, you cannot use the stored PAN for future transactions.
NOTE: It is not allowed to store truncated and hashed versions of the same PAN within the environment unless you put in more controls. This is because it is very easy for an attacker to reconstruct the PAN if they gain access to the truncated and the hashed version. This is a common mistake made when using truncation and hashing.
Tokenization has become more and more popular over the years as it is a process that allows companies to replace the original PAN with a “token” which is usually an arbitrary 16 digit number. Preserving the original format means less changes to existing systems and more easy migrations to a tokenized environment.
The token can be reversed back into the original PAN but has no real value to an attacker which is a great way to mitigate risk and reduce the scope of PCI compliance.
Additionally since tokens can be “de-tokenized”, they can be stored and used for future transactions
Encryption i.e. the process of using a key to encrypt and decrypt the PAN is quite similar to tokenization with a few differences:
- It usually does not preserve the 16 digit format of a PAN whereas a token usually does
- Encryption uses a cryptographic key in its process which has specific PCI requirements to follow
- There is usually a mathematical relationship between the encrypted ciphertext and the PAN whereas a token has no such relationship
What technique to use ?
All of the above mentioned techniques are effective in their right and have to be chosen based on your company’s business requirements and technology maturity. There are pros / cons in each approach and PCI DSS standard gives a lot of flexibility to companies in how they want to go about protecting cardholder data. Reach out to your auditors earlier on and assess what works for your environment and what does not .
Thanks for reading and If you find this topic interesting then be sure to check out my discounted PCI DSS — Masterclass