How do small companies typically store credit card numbers on their LANs? Are they kept in spreadsheets on NTFS-secured server drives, or are there applications that can be used to encrypt them and keep them safe?
This question hinges on the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS has specific rules for handling, storing, protecting and encrypting credit card data, regardless of a company's size.
PCI DSS is governed by a consortium of five large credit card companies: Visa, MasterCard, American Express, Discover and JCB. Non-compliance can lead to fines or being banned from using cards issued by any of the five consortium members. Due to the large share of the market they hold, these five card companies have a lot of clout. Being excluded from using their cards can effectively bar a business from accepting credit cards.
Though following PCI DSS is considered compliance with an industry standard rather than a security procedure, its recommendations are a good starting point for any company handling credit card data.
PCI DSS Requirement 3, which covers the protection of stored cardholder data, is the section most relevant to storing credit card numbers, or personal account numbers (PAN). Section 3.4 specifically mandates that the PAN be encrypted wherever it's stored. The four following encryption methods may be used: strong one-way hash functions, truncation, index tokens and pads, or strong cryptography with associated key management processes and procedures.
Either full-disk encryption, file-level or column-level database encryption may be used. But in all these cases the PAN is the minimum piece of account information that must always be encrypted under any circumstances.
When using NTFS-secured server drives, corporations must make sure logical access is separate from native operating system control, such as local system or Active Directory accounts. As long as the NTFS drive isn't directly accessible by these accounts, an enterprise should be PCI DSS compliant.
PCI DSS doesn't specify encryption strength, but rather specifies acceptable handling of encryption keys in Section 3.5 and 3.6. Among these are that keys are to be stored and distributed securely. As long as these requirements are met, any free or commercial disk or file encryption tool is sufficient.
Despite these stringent rules, PCI DSS allows for a series of what it calls "compensating controls" for companies unable to provide encryption. These compensating controls include putting the cardholder data on a separate network segment, or restricting access to it by IP address, access controls or packet filtering of data types.
In this case, a small company that is unable to encrypt card numbers can attempt to stay compliant with PCI's compensating controls by securely isolating card numbers from their network. So, referring to spreadsheets on NTFS-secured drives, an organization will have to make sure the PANs are securely segregated from the network and can't be accessed by users.
The complete standard with more details can be found on the PCI Security Standards Council website (pdf).
This was first published in February 2008