This month we move into a new area of focus for the PCI Data Security Standards, Protect Cardholder Data. This area of focus is comprised of two specific requirements from the card brands, and they are crucial to making sure that your cardholders’ data is secure.
The first requirement for protecting cardholder data is to Protect Stored Cardholder Data and in order to protect stored data, you first must know if you have any. There are two steps that can be incredibly helpful for any organization trying to determine if they have cardholder data stored on their network or machines.
Know Your Systems
The first step you will want to take is making sure you understand the systems that you use for processing payments and the role your Service Providers play. If you work with someone that touches your cardholder’s data, they are a Service Provider. Know exactly what data they touch and whether or not they store that information. The card brands all state that there are three pieces of information from a card that cannot be stored under any circumstance. These are the full contents from the magnetic stripe, the 3 digit security code referred to as CSV on the back of the card and PIN numbers both encrypted and non-encrypted.
If you have bought a software application from a service provider so that you can process transactions on your computer or through another method, be sure that the application does not store any of those items at all. If they are stored, that information would be on your device and you, not your Service Provider would be on the hook. For more information on how that could play out, take a look at our post on Takeaways from the Target Breach.
Understanding the role that your Service Providers plays allows you to better understand your responsibilities and how you interact with card data. You may even discover in this process that you have no interaction with card data at all and everything is handled by your Service Provider. If that is the case, it is likely that you can be placed into a questionnaire which does not require you to answer these questions due to them being inapplicable.
Double Check With the Experts
The second step you can take is to reach out to your Qualified Security Assessor and explain to them the way transactions run for your organization. If, as we mentioned above, you have no interaction whatsoever with card data and you never key in transactions for your cardholders, it is highly likely that your QSA will let you know you qualify for a different questionnaire which does not contain questions on this requirement.
If your organization does enter transactions for your cardholders, you can speak with your QSA about the way your transactions process and what your Service Providers do for you. Your QSA will be able to guide you as to how you should answer the questions for this requirement based on the information that you are now equipped to give them, at which point you can successfully say that you have navigated the first requirement of Protecting Cardholder Data.
A Final Thought
Perhaps the most critical piece of PCI Compliance, across all of the areas of focus, is to understand the systems that run your transactions. Picking the right system can be a great help in limiting the scope of your PCI requirements. How you interact with that system can also contribute to this. If you want to understand this better, do a quick drawing. It does not have to be anything fancy, but should show you every point of entry for a cardholder’s data. If your team enters card data for your donors or card holders, then draw a box and label it Virtual Terminal. If you swipe cards through an iPad device or terminal, draw a box for that. If you take cards online, draw a box for online and write down the name of the webpage where the full card number is entered. Be sure to note whether this is your webpage or a page provided from your service provider. This information is all very important to your organization and knowing the process will make sure that your QSA can place you in the right set of security standards.
Next month we will move to the second requirement for Protecting Cardholder Data, which is focused on making sure that you Encrypt transmission of cardholder data across open, public networks.
If you have any questions about PCI that you would like to see covered, let us know! You can email us at firstname.lastname@example.org to share your thoughts or questions which we may then address here on our blog!