PCI Data Security Standard
The continuation of massive credit card data breaches at many high profile organizations, prompted the development of the Payment Card Industry Data Security Standard (PCI DSS), which standardizes how credit card data should be protected. Under the PCI DSS, a business or organization should be able to assure their customers that its credit card data/account information and transaction information are safe from hackers or any malicious system intrusion. Whether from those outside the organization or from within:
- 24.8 percent of financial services institutions worldwide experienced external breaches within the past 12 months [1]
- 31.3 percent of these global institutions suffered internal breaches during the same time frame [1]
To achieve compliance with the PCI DSS, vendors and service providers must adhere to six major categories of requirements, with a total of 12 PCI-required controls, covering access management, network security, incident response, network monitoring and testing and information security policies.
MyDiamo Helps Credit Card Issuers and Processors Comply with PCI DSS
MyDiamo enables credit card issuers and processors to ensure the confidentiality of customers’ financial records and to ensure storage of protected data. MyDiamo utilizes not only encryption, but also access control, encryption/decryption privilege management, and auditing functions as features of its security mechanisms.
PCI DSS Requirements Related to Database Encryption
Requirement 3: Protect stored data
3.3 Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed).
3.4 Render PAN unreadable anywhere it is stored (including on portable digital media, backup media, and in logs) by using any of the following approaches:
* One-way hashes based on strong cryptography (hash must be of the entire PAN)
* Truncation (hashing cannot be used to replace the truncated segment of PAN)
* Index tokens and pads (pads must be securely stored)
* Strong cryptography with associated key-management processes and procedures
Requirement 8: Assign a unique ID to each person with computer access.
Requirement 10: Track and monitor all access to network resources and cardholder data.
MyDiamo Provides:
Most solutions in the database encryption market provide file-level encryption, which can be provided independently of DBMS type. However, file-level encryption cannot provide partial encryption to data. Even if you need to mask part of the data such as PAN or social security number, you need to encrypt the whole file.
On the other hand, MyDiamo provides column-level encryption using trusted standard encryption algorithms (AES, TDES, etc.). Column-level encryption provides context-aware encryption security. Also, since MyDiamo operates parallel to the DBMS engine, it provides transparent encryption so that developers can make use of encryption without excessive application modifications. These features are what differentiate MyDiamo with other solutions.
MyDiamo provides one-way encryption, or keyed hash function which helps you comply with Requirement 3, 3.4. One-way encryption is the safest way to protect authentication data. MyDiamo can also support partial encryption which helps you comply with Requirement 3, 3.3. Partial encryption allows indexing without performance degradation even after encryption. MyDiamo’s partial encryption feature is suitable for payment card industry data encryption, since most partial data like PAN data needs to be masked.
Along with all of these encryption functions, MyDiamo also provides access control and audit functions for monitoring users that work with encrypted columns. These features help you comply with Requirement 8 and 10.
[1] 2012 DTTL Global Financial Services Industry Security Study