Sufficient encryption complexities remain a compliance necessity for nearly all companies that store, process, or transmit credit card data and payment information. These encryption regulations are established by the Payment Card Industry’s (PCI) Data Security Standards (DSS). The PCI DSS requires these companies to protect cardholders’ sensitive information, including using the latest cryptographic algorithms and security methods.
Read on to learn more about the PCI encryption requirements necessary for demonstrating compliance.
PCI DSS Encryption (v.3.2.1)
The most current version of the PCI DSS—v3.2.1—calls out protecting cardholders’ sensitive information under Requirement 3 and encrypting data transmitted across public networks in Requirement 4.
Adhering to PCI DSS encryption compliance requires sufficiently complex cryptographic algorithms or other methods that render primary account numbers (PANs) unreadable. Usually, this encryption process occurs via one of the following methods:
- One-way hash functions
- Index tokens and securely stored data pads
- Strong cryptography
Download Free PCI Compliance Checklist
What Constitutes Cardholders’ Sensitive Information?
Sensitive cardholder information includes Personally Identifiable Information (PII), such as names, addresses, and credit card numbers. Broadly, cardholder data refers to “any information printed, processed, transmitted or stored in any form on a payment card.”
The magnetic stripe located on the back of payment cards contains the digital version of cardholder data, as well as additional sensitive data used to authenticate the cardholder’s identity and authorize their transactions. Authentication data verifies the cardholder’s identity and authorization data permits the transaction.
PCI DSS Requirements 3 and 4
PCI DSS Requirements 3 and 4 are specified under the goal “protect cardholder data,” and their sub-requirements determine the encryption requirements companies must comply with whenever storing, processing, or transmitting cardholder data.
PCI Requirement 3
PCI DSS Requirement 3 states companies must protect stored card data.
Note that Requirement 3 doesn’t apply to your company if you don’t store card data. Not storing cardholder data provides inherently stronger protection against malicious activity, as no PII is present to steal.
Companies that store cardholder data should only do so for necessary business purposes. Storing any sensitive data located on a card’s magnetic stripe following a transaction’s authorization is strictly prohibited by the PCI DSS.
PCI DSS Requirement 3’s sub-requirements state:
- Requirement 3.1 – Cardholder data storage and retention time must be minimized by companies to strictly necessary amounts that business, legal, and regulatory activity require. Unnecessary data must be purged each quarter.
- Requirement 3.2 – Authentication data stored following transaction authorization is strictly forbidden, even if the data is encrypted. Sensitive authentication data must be rendered unrecoverable. Storing sensitive authentication data may be permitted if the company can provide a strong business justification, but that data must be stored securely.
- Requirement 3.3 – Displayed PANs may not show more than the first six and last four digits to a company’s unauthorized employees. However, note that Requirement 3.4 doesn’t override more stringent Requirements governing any display of cardholder data.
- Requirement 3.4 – Stored PANs must be rendered unreadable, whether they are located on portable digital media, backup media, in logs, or data received or stored via wifi.
- Requirement 3.5 – Secure procedures used to protect keys involved with encrypting cardholder data from disclosure or misuse must be implemented and documented.
- Requirement 3.6 – Cryptographic keys used to encrypt cardholder data must be secured with documented and practiced key management processes and procedures.
- Requirement 3.7 – Consistent security policies and operational procedures must be documented, actively followed, and known by all involved parties.
PCI Requirement 4
PCI DSS Requirement 4 states that companies must encrypt all cardholder data transmissions across public networks. Encryption protects the cardholder data should any cybercriminal seize it with malicious intent.
PCI DSS Requirement 4’s sub-requirements state:
- Requirement 4.1 – Companies must utilize strong cryptography and security protocols to secure sensitive cardholder data whenever transmitting it over public networks, including the internet, wireless technologies, cellular technologies, and satellite transmissions.
- Companies must also ensure that any wireless networks—used for either transmitting cardholder data or connecting to cardholder data environments—follow industry best practices regarding strong encryption for authentication and transmission.
- Requirement 4.2 – Companies may not transmit unprotected PANs via end-user messaging technologies (e.g., SMS, email, instant messaging).
- Requirement 4.3 – Companies must ensure that they correctly document, implement, and promulgate knowledge regarding all security policies and operational procedures relevant to cardholder data.
PCI DSS Encryption Practices for Compliant Data Storage
The PCI DSS encryption requirements specify four primary methods used to secure cardholder data during storage or transmission.
One-Way Hash Functions
One-way hash functions only display index data used to locate records within the databases where sensitive data is securely stored. One-way hash functions are also known as a hashed index. The “one-way” descriptor refers to the fact that the encryption is virtually impossible to invert or reverse.
Truncation refers to sensitive data displays where some segments have been removed to protect the true value. Whereas cardholder data may be masked when displayed to protect sensitive information (while still digitally accessible by authorized personnel), truncation transforms the actual stored value.
Index Tokens and Stored Pads
Index tokens and stored pads provide a combination encryption algorithm that utilizes both sensitive plain text data and a one-time-use key. The key may also be known as a “pad.”
The PCI Security Standards Council (SSC) defines strong cryptography that meets their PCI DSS encryption requirements as “being based on industry-tested algorithms, along with key lengths that provide a minimum of 112-bits of effective key strength and proper key management practices.” Cryptography includes both reversible encryption and non-reversible, one-way hashing.
The SSC considers the following standards and algorithms as acceptable for meeting PCI DSS encryption requirements:
- AES (128 bit or higher)
- TDES/TDEA (i.e., the Triple Data Encryption Algorithm)
- RSA (2048 bits or higher)
- ECC (224 bits or higher)
- DSA/D-H (2048/224 bits or higher)
The PCI SSC glossary recommends visiting the National Institute of Standards and Technology (NIST) for more information on cryptographic key strengths and industry-accepted algorithms.
The Advanced Encryption Standard (AES), originally known as “Rijndael,” is a block cipher and NIST-accepted specification used to encrypt electronic data. AES was selected by the U.S. National Security Agency as providing sufficiently secure encryption for non-classified data and classified data up to the “SECRET” level. With widespread industry adoption and NIST approval, the use of AES meets PCI DSS encryption requirements.
As per NIST’s development requirements listed in their initial call for algorithms, AES implements symmetric key cryptography as a block cipher with minimum support for block sizes equalling 128 bit and key sizes equalling 128, 192, and 256 bit.
Meeting PCI DSS Encryption and Other Compliance Requirements
RSI Security helps companies spanning numerous industries demonstrate regulatory compliance, and PCI DSS is no exception. As an approved scanning vendor (ASV), we’re certified to test data security vulnerabilities and PCI Requirement compliance in companies subject to the DSS.
Here at RSI Security, we’ll provide the experience and knowledge necessary to help your company comply with PCI DSS encryption requirements. Contact us today to speak with RSI Security’s experts and ensure your cryptography algorithms meet PCI DSS specifications.