In the digital age, enhanced debit and credit card functionality has led to an increase in frauds and scams. Given the sensitivity of the information attached to consumers’ payment cards, the critical need to ensure their security from the time of production through every swipe at a retailer or input on an e-commerce website became apparent.
What is PCI DSS?
Visa introduced the first set of credit card security standards—the Cardholder Information Security Program (CISP)—in October 1999, and gave merchants until May 2001 to comply. Other payment card companies would follow suit. These standards created major difficulties for merchants because compliance regulations were different for all major payment card companies, and total compliance was both expensive and laborious.
To combat the rising levels of fraud and create a universal set of security-compliance standards, the five major payment card brands — Visa, MasterCard, American Express, Discover, and JCB — formed the Payment Card Industry Security Standards Council (PCI SSC) in 2004 and released the first set of unified standards to protect vital consumer information: the Payment Card Industry Data Security Standard (PCI DSS). Since its inception, the PCI DSS has undergone nine updates, the latest being version 3.2.1, released in May 2018.
Under the agreement’s terms, all entities that take part in transmitting or storing cardholder information must be PCI DSS-compliant. In addition to merchants and retail outlets, such entities include e-commerce sites, software as a service (SaaS) providers involved in payment gateways, financial institutions, and security printers. These regulations are intended to ensure that organizational policies regarding data retention, data disposal, and data security are effectively implemented and enforced.
It is important to understand that, although PCI DSS is not a law, the penalties for noncompliance can be quite steep. The PCI SSC does not impose penalties directly. Instead, the council reports regulation infractions to the payment card brands. In turn, they penalize the offending merchant’s acquiring financial institution, which then penalizes the offending merchant.
Data Covered Under PCI DSS
There are two types of data that fall under PCI DSS regulations on data storage: cardholder data and sensitive authentication data.
Cardholder data includes primary account numbers (PANs), cardholder name, card service code, and card expiration date. This data can only be stored while a merchant is waiting for a transaction to be authorized. Anytime the PAN is mobile, it must be encrypted; otherwise, it must be truncated to be unreadable (typically, only the first or last four digits will show when the PAN is static). This data may only be retained for five years, and must be examined quarterly during that time frame to ensure correct storage procedures are followed.
Sensitive authentication data is not to be stored by merchants at any time. This includes track 1 & 2 data contained within the magnetic stripe on the back of the card, CVV2, CVC2, CID and CAV2 codes (card verification codes), and PIN numbers. The only exception is information needed to complete a transaction, such as a PIN number or card verification code. In those instances, such information must be completely disposed of upon transaction completion.
Financial Institutions & PCI DSS
To remain PCI DSS-compliant, financial institutions must follow a strict set of norms to ensure Personally Identifiable Information (PII) is not compromised, including the following:
• Regularly facilitating controlled attempted breaches of the network and cardholder data environment (CDE), along with any systems connected to it;
• Performing quarterly checks for both authorized and unauthorized wireless access points; and
• Conducting white- and-black-box penetration testing on network and application layers anytime significant changes have been made (or at least once per year).
If any of the tests identify issues, the institution should immediately fix the issues and retest until all issues are resolved.
In addition to regular and rigorous testing, financial institutions are responsible for PCI DSS-compliance enforcement for their acquired merchants. They determine how merchants must verify compliance, and they are responsible for rectifying situations when acquired merchants are deemed to be in violation. The resulting fines are levied by the payment card companies on the financial institution, which then trickles the fine down to the merchant in a variety of ways, including special fees, increased processing and transaction fees, and monthly fees. If issues are not resolved, the financial institution could terminate its relationship with the offending merchant, and the merchant could forfeit its authorization to accept payment cards altogether.
Since PCI DSS compliance starts at card production and ends at card destruction, financial institutions must also account for the card-creation process, by which they must verify that their security printing process or vendor is also PCI DSS-compliant.
Security Printing & PCI DSS
Regardless of whether the facilities manufacturing payment cards or any part of the payment cards are associated with the financial institutions issuing the cards, they are subject to further PCI DSS regulations for maintaining the security of PII. Since a breach at one of these facilities could have severe consequences, both the electronic functions and physical premises must be secure to comply with the PCI DSS.
PII must always be securely encrypted during storage and transmission. The only exception is during the PII customization phase. During this time, the data is not to be on any public-facing network or connected to the internet in any way. Immediately after the information is entered, the data must be encrypted again, which absolutely must occur before reconnection to a network or the internet.
Any vendor handling PII must restrict access to a list of designated individuals who are authorized to enter sensitive cardholder data or access the ability to encrypt or decrypt PII. The vendor must also have a stipulated policy regarding any removable media containing PII. This media must be clearly labeled, stored in a secure location within the facility, and tracked during all movement. An authorized individual must oversee this function, and that person must not have the ability to decrypt any of the data within. When it is possible to delete the data on removable media, the media must be destroyed.
A Chief Information Security Officer (CISO) must be designated to oversee the vendor’s information technology security as well as to report the status of compliance and potential threats to executive management on a monthly basis. This person must also not complete tasks or responsibilities which they approve.
The CISO is responsible for approving network and firewall configurations, which must be in compliance with the PCI DSS regulations. This includes the documented flow of cardholder information from input to destruction (e.g., the stipulation that the system housing the cardholder information must be separate from any other vendor or internet networks and not housed on the same server rack).
Any remote access is restricted to the administrator of the network or system components. Quarterly external vulnerability scans must be completed by a PCI SSC- approved scanning vendor, and internal and external penetration tests must be performed annually and subsequent to any major infrastructure change. Any keys to the premises and sensitive areas must be well logged and accessible only to the designated key holders.
The vendor is also responsible for restricting and securing physical access to the premises. All non-emergency portals must always be locked or electronically controlled, and access must be controlled by a device such as a card reader or biometric scanner. All entrances and exits may allow only one person to enter or exit at a time; in addition, they must be contact-alarm monitored and reinforced to meet local fire and safety regulations. All exterior walls are required to be masonry block or a material of comparable strength, and any windows or doors must be protected against intrusion.
Employee-identification badges/access cards must never contain any logo or company information identifiable by an outside party. Employee access must be restricted to areas necessary for completion of their job functions.
A designated room or building for monitoring a CCTV security system must not be viewable from external locations. Backups of security tapes must be produced daily and kept for a minimum of 90 days. Additionally, if DVR is used, it must be housed in a designated security-equipment room with access restricted to authorized personnel.
A High Security Area (HSA) is any area where payment cards, their components, and/or PII are stored. Production and provisioning tasks are the only activities allowed in an HSA. These areas must also be outfitted with internal motion detectors. Personal items and electronics are absolutely prohibited from these areas. The only personal effects that may be brought inside an HSA are medication and tissues (provided they can be examined through their container).
All processes related to payment card production must be outlined in detail and ensure a traceable trail of possession and production for all cards and card components. Inventory must be thoroughly managed and accounted for, and no unnecessary material may be opened at any time.
All tipping foil reels containing PII must be completely shredded in-house, with dual oversight in an HSA. This should happen at least once per week.
All materials used in the mailing, packaging, and delivery processes must be regulated and inventoried. Wasted mailers must also be logged, as well as mailers completed and transferred to a mailing area. Envelopes containing payment cards should be nondescript and bear no company logos or references. GPS tracking must be in place for the mailers, and vehicle drivers must not have keys that allow access to the mailers being transported. A direct communication channel between the security control room (where movement is also being monitored) and the vehicle must be maintained. Two people must be in the delivery vehicle.
PCI DSS Regulations Regarding Data Destruction
For both paper and electronic data, a comprehensive strategy detailing how to store the media, how long to store it, and how to dispose of it is required for PCI DSS compliance. It is further required that data be destroyed such that it cannot be recreated. The DIN (Deutsches Institut für Normung—German Institute for Standardization) developed internationally recognized standards for data destruction, as outlined in DIN Standard 66399, now globally standardized to ISO/IEC 21964. Security levels of destruction for each form of data are divided into seven categories, with 1 being the least secure and 7 being the most secure.
According to DIN Standard 66399 (ISO/IEC 21964), paper should be disposed of or shredded to a minimum security level of P-4. Particle size should be less than or equal to 160mm2, with a width no greater than 6mm2.
In addition, hard drives should be disposed of at a security level of H-4 or greater. Maximum particle size should be 2000 mm2, rendering it impossible to reassemble the hard drive for data restoration, except by highly specialized machinery. If the hard drive is to be repurposed and retained, complete sanitation of the data to the point of no recovery must be verifiable.
Optical media, such as CDs or DVDs, should be reduced to a maximum particle size of 160mm2 (security level O-4, according to the DIN Standard 66399). Microfilm should be reduced to a level of F-4, or particles no larger than 2.5mm2. Electronic digital media devices, such as USB drives and memory cards, should be destroyed to a minimum level of E-4, which stipulates particles be no larger than 30mm2. Magnetic media, such as cassette tapes, floppy disks, or payment cards, should be destroyed to a minimum security level of T-4, according to DIN Standard 66399—meaning particles must be no larger than 160mm2.
A Quick Word About Metal Payment Cards
Destruction of payment cards is becoming more difficult with the recent release and surge in popularity of metal credit and debit cards. These cards function no differently than their plastic predecessors. They have only increased in number because they score “style points” with consumers. The only real difference is the virtual inability of consumers to shred metal payment cards. Rather than destroy the cards themselves, consumers must now arrange for the issuer to do so. Or use a disintegrator like the SEM Model DS-400 or 1012 Disintegrator.
Being PCI DSS compliant may not be a law, but it certainly is required for all merchants, financial institutions, and security printers. From creation to destruction, it is imperative that PII not be compromised at any point in the process. Be sure that any shredders you use destroy materials to the appropriate level so they cannot be reconstructed. Companies like SEM are very familiar with PCI DSS requirements and have the sophisticated shredding technology required for appropriate data destruction.