Payment Card Industry Data Security Standard (PCI DSS) Auditing and Compliance

Any business that transmits, processes or stores cardholder data must comply with the PCI DSS. nCipher Security can help simplify the PCI DSS compliance and audit effort

Global Map

Mandate

Active now

PCI DSS Requirements

Any organization that plays a role in processing credit and debit card payments must comply with the strict PCI DSS compliance requirements for the processing, storage and transmission of account data.

nCipher can help organizations working with cardholder data comply with several aspects of PCI DSS compliance and auditing, including:

  • Protecting stored cardholder data;
  • Identifying and authenticating access to system components;
PCI DSS compliance requirements
Over 200 Tests against Six Core Principles

The PCI DSS standard (www.pcisecuritystandards.org) involves assessment against over 200 tests that fall into 12 general security areas representing six core principles. These PCI DSS tests span a wide variety of common security practices along with technologies such as encryption, key management, and other data protection techniques.

Risks Associated with PCI DSS Auditing and Compliance
  • Failure to comply with PCI DSS compliance requirements can result in fines, increased fees, or even the termination of your ability to process payment card transactions.
  • Complying with the PCI DSS cannot be considered in isolation; organizations are subject to multiple security mandates and data breach disclosure laws or regulations. On the other hand, PCI compliance projects can easily be side-tracked by broader enterprise security initiatives.
  • Guidance and recommendations linked to PCI DSS requirements include common practices that are likely to be already in place. However some aspects, specifically those associated with encryption, might be new to the organization and implementations can be disruptive, negatively impacting operational efficiency if not designed correctly.
  • Opportunities exist to reduce the scope of PCI DSS compliance obligations and therefore reduce cost and impact; however, organizations can waste time and money if they do not exercise care to ensure that new systems and processes will in fact be accepted as PCI DSS compliant.
Addressing Key Requirements of PCI DSS

Drawing on decades of experience helping banks and financial institutions comply with industry mandates, nCipher offers products and services that enable you to protect stored cardholder data, encrypt it for transfer, and restrict access on a need to know basis.

  • Protect cardholder data. nCipher works with leading mobile device payment acceptance (mPOS) solutions as well as leading payments data protection solutions to protect cardholder data and help ensure PCI DSS compliance. Merchant organizations also need to deploy network encryption and SSL/TLS encryption for protecting data in transit.
  • Implement strong access control measures. All data protection techniques go hand-in-hand with access controls. Cryptographic technologies such as PKI and digital certificates are widely used to go beyond password-grade security for authenticating users and systems. Furthermore, using nCipher HSMs to control access to data decryption keys means that data can be decrypted only a “need to know” basis.
  • Build and maintain a secure network. In addition to network level encryption, an essential component of network security is the strong authentication of network devices; digital credentials are increasingly employed at the device level to control network access and are an important security consideration for a corporate PKI.
  • Maintain a vulnerability management program. The rise of advanced persistent attacks that attempt to corrupt business applications by injecting malware has brought the use of digital signatures and code signing into focus as a way to prove the integrity and authenticity of business systems and application software.
  • Maintain an information security policy. PCI DSS places great emphasis on establishing a clear separation of duties between staff members to minimize the risk of insider attack. The use of cryptography provides a powerful mechanism to enforce this separation and for creating a trusted record of events to demonstrate compliance.

Brochure : nCipher HSM brochure

nShield HSMs provide a hardened, tamper-resistant environment for secure cryptographic processing, key generation and protection, encryption and more. Available in three FIPS 140-2 certified form factors, nShield HSMs support a variety of deployment scenarios.

Download

Other key data protection and security regulations

GDPR

GDPR Thumbnail

Regulation

Active Now

Perhaps the most comprehensive data privacy standard to date, GDPR affects any organisation that processes the personal data of EU citizens - regardless of where the organisation is headquartered.

Learn More

PCI DSS

GDPR Thumbnail

Mandate

Active Now

Any organisation that plays a role in processing credit and debit card payments must comply with the strict PCI DSS compliance requirements for the processing, storage and transmission of account data.

Learn More
Contact a Compliance Specialist Contact Us
Read the Compliance and Regulations Solutions Handbook Read the eBook
Want to be part of our team? Explore
Get in contact with a specialist Contact Us