When visiting retailers, thieves and hackers are shopping for one thing – credit and debit card data they can resell on the black market. While the Payment Card Industry Data Security Standard (PCI DSS) outlines baseline protections, hackers continue to create and exploit vulnerabilities in point-of- sale (POS) and e-commerce payment processing systems. Despite the industry’s best efforts, high-profile breaches continue to occur.
So how do retailers protect their customers, reputations and profits? More importantly, how do they stay in compliance as PCI regulations tighten in response to new hacking techniques? When designing client solutions, we recommend following these four essential best practices to chart a simplified path to PCI compliance:
1. Flexible Encryption for POS Transactions
Even if payment card information isn’t stored locally on POS systems during processing, it is still sent out over the network for validation. Hackers routinely find ways to intercept it, which is why PCI regulations stipulate that data must be encrypted during transmission.
Because traditional methods modify data during the encryption process, companies must continuously adjust storage structures in order to accommodate the data’s new format. When PCI regulations change, retailers must modify infrastructure as well as their encryption keys. With an end-to- end encryption solution such as that offered by HPE SecureData, the access policy stays with the data as it travels. As a result, data formats, certificates and keys remain the same even when encryption is updated.
2. Site-wide Encryption for Ecommerce
As customers shop online, their data travels through a number of infrastructure elements – load balancers, web servers and more. Therefore, it’s important to ensure that it stays encrypted as it travels. HPE SecureData comes with Page Integrated Encryption (PIE) so retailers can embed site-wide encryption with a single API call.
3. Tokenization for Risk Reduction
By replacing payment data with identification symbols, another layer of security is added to the process. Whereas encryption masks the original data and then “unmasks” it at the decryption point, tokenization removes the data from the network altogether, and in essence replaces it with a placeholder, that hackers can’t understand. Better yet, tokenization minimizes the cost, management requirements and risks associated with PCI compliance. By reducing the amount of information stored from the start, companies can limit their exposure during a Qualified Security Assessor (QSA) audit. With HPE SecureData, retailers can enable encryption and tokenization from a single platform to simplify and speed administrative tasks.
4. Mitigation for Application Protection
Application weaknesses are one of the fastest, most effective paths hackers use to gain access to the data they covet. Patching and keeping applications updated is a start, but companies must also actively test applications for vulnerabilities, especially those developed in-house. Using tools such as HPE Fortify, retailers can continuously scan applications for new weaknesses identified by PCI.
While outdated security solutions provide a certain amount of protection in the near-term, they often create more complexity over the long run. As a Hewlett Packard Platinum Partner, we leverage state-of- the-art security solutions to create a more strategic, holistic program – one that both protects against a greater set of threats and easily adjusts when regulations change.
Need a more streamlined solution for managing PCI compliance? Contact us for a security assessment today.