Protecting cardholder data should be a top priority for any business, regardless of size or how young the organization is. This is particularly true given the increase in data privacy regulations and the market’s heightened focus on consumer data rights.
Keeping your cardholder data environment (CDE), which is anywhere cardholder data can be found, is an incredibly difficult, costly, and time-consuming endeavor. Doing so in a way that’s compliant with the Payment Card Industry Data Security Standard (PCI DSS) adds an additional layer of complexity to the process.
It’s not just becoming compliant that’s hard – maintaining your compliance status into the future is confusing, stressful, and expensive, often requiring unexpected resources.
That’s why savvy, forward-thinking companies are now opting for PCI DSS tokenization to secure PCI data in their CDE, as this flexible data protection approach can make attaining and keeping your PCI compliance much simpler, quicker, and less expensive.
What is considered PCI data?
Before we get into how to protect Payment Card Industry (PCI) data, let’s define what exactly it is. PCI data is any information stored within or on a payment card, including debit cards, credit cards, and prepaid cards. Payment cards are issued by one of the five major payment card brands that comprise the PCI Security Standards Council (SSC) – Visa, Discover, American Express, JCB International, and Mastercard.
There are two types of PCI data: cardholder data and sensitive authentication data (SAD).
According to the PCI SSC, cardholder data is defined as the payment card’s primary account number (PAN) alone, or the PAN alongside any of the following:
- Expiration date
- Cardholder name
- Service Code
Sensitive Authentication Data (SAD):
SAD is divided into two categories.
Magnetic-Stripe Data are the data components found on a payment card’s magnetic stripe, which employs secure cryptography to protect the data integrity on the magnetic stripe and show any modifications or counterfeiting. Magnetic-Stripe Data has a different label depending on the card brand:
- Mastercard refers to it as the card validation code (PAN CVC)
- JCB refers to it as the card authentication value (CAV)
- American Express refers to it as the card security code (CSC)
- Both Visa and Discover refer to it as the card verification value (CVV)
Printed Security Features include the four-digit unembossed number located above the PAN on American Express cards, as well as the three-digit number found in the signature panel on the back of Visa, Mastercard, JCB, and Discover cards. Printed Security Features are referred to differently by each card brand:
- Mastercard refers to it as card validation code 2 (PAN CVC2)
- JCB refers to it as card authentication value 2 (CAV2)
- Visa refers to it as card verification value 2 (CVV2)
- American Express and Discover both refer to it as card identification number (CID)
Defining the Cardholder Data Environment (CDE)
A CDE is made up of the processes, people, and systems that store, process, or transfer sensitive authentication data or cardholder data. If PCI data touches a location, or is seen by a person with access (including third parties), then it’s considered part of your CDE.
The PCI DSS spells out specific requirements for protecting PCI data found on all virtual and physical components within a CDE, including:
- Point-of-sale (POS) systems, like card readers, cash registers, payment terminals, or any other system that processes a customer’s PCI information.
- Network components such as firewalls, access points, routers, switches, security appliances, and network appliances.
- Servers including application servers, web servers, authentication servers, database servers, proxy servers, mail servers, domain name servers, and network time protocol servers.
- Third-party IT systems.
- Virtual components including virtual routers, virtual switches, virtual machines, virtual appliances, virtual desktops, hypervisors, and virtual applications.
- Any external and internal applications.
How does the PCI DSS deal with information residing in a CDE?
The data security standard was built by the PCI SSC to make sure that PCI data protection is both a priority and is being executed properly. The PCI DSS totals 12 requirements, which include several sub-requirements, and provides an overview of the necessary security controls that businesses must employ in order to obtain PCI DSS compliance.
Many of these requirements offer specific directions that businesses need to follow to secure their CDE. For more information about these requirements, check out the exact language used by the PCI SSC.
How to ensure your CDE is PCI compliant
Depending on how many payment card transactions your business handles each year, you will need a different level of PCI compliance, which is divided into four levels. PCI Level 1 is for the highest amount of transactions, and Level 4 is for the least.
Moreover, the size and scope of your CDE directly impact the level of risk a company is liable for when it comes to a data breach. The bigger a CDE, the more assets are included within the scope of PCI compliance – which will need to be protected.
The journey to securing and maintaining a PCI compliant CDE is incredibly complex and difficult, calling for team members with a special skill set to pull it off. Apart from the expertise needed, PCI compliance can also require considerable time and resources that many companies simply don’t have available.
Not only does it negatively impact your budget, it also keeps your team distracted from their core responsibilities – slowing the growth of your organization. Your team should be spending their valuable time developing new features and bringing your product to market, not worrying about the intricacies of each PCI compliance requirement.
Achieving compliance through outsourcing
It’s not easy to build very good security and compliance infrastructure by yourself, especially if you don’t have compliance professionals and engineers with the specific experience required to make it happen. That’s why data-driven, forward-thinking organizations opt to work with a tokenization provider, so they can offload their data protection burden to a trusted expert. Tokenization is a data security tool that ensures your raw, original sensitive data is kept safe while third parties only receive ‘tokens’ that represent the real data. Finding a tokenization provider is straightforward and typically much less expensive than going the do-it-yourself route to PCI data security, offering companies a chance to focus on scaling their business rather than distracting their teams with PCI DSS concerns.
You may also like: The Urgent Call to Increase Financial Services Cybersecurity