USING INTERSYSTEMS CACHÉ FOR SECURELY STORING CREDIT CARD DATA



Similar documents
The Relationship Between PCI, Encryption and Tokenization: What you need to know

PCI DSS FAQ. The twelve requirements of the PCI DSS are defined as follows:

Complying with PCI Data Security

AheevaCCS and the Payment Card Industry Data Security Standard

XTREMIO DATA AT REST ENCRYPTION

I n t e r S y S t e m S W h I t e P a P e r F O R H E A L T H C A R E IT E X E C U T I V E S. In accountable care

Achieving PCI Compliance with Postgres. Denish Patel Database Architect

Guide to Data Field Encryption

Introducing InterSystems DeepSee

I N T E R S Y S T E M S W H I T E P A P E R INTERSYSTEMS CACHÉ AS AN ALTERNATIVE TO IN-MEMORY DATABASES. David Kaaret InterSystems Corporation

PCI PA - DSS. Point ipos Implementation Guide. Version VeriFone Vx820 using the Point ipos Payment Core

SafeNet DataSecure vs. Native Oracle Encryption

PCI PA - DSS. Point BKX Implementation Guide. Version Atos Xenta, Atos Xenteo and Atos Yomani using the Point BKX Payment Core

Active AnAlytics: Driving informed Decisions leading to Better clinical AnD financial outcomes

Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking

Beyond PCI Checklists:

I N T E R S Y S T E M S W H I T E P A P E R ADVANCING SOA WITH AN EVENT-DRIVEN ARCHITECTURE

Reducing PCI DSS Scope with the TransArmor First Data TransArmor Solution

PCI PA - DSS. Point XSA Implementation Guide. Atos Worldline Banksys XENTA SA. Version 1.00

Payment Card Industry Data Security Standard

Appendix 1 Payment Card Industry Data Security Standards Program

Initial Roadmap: Point-to-Point Encryption Technology and PCI DSS Compliance

Alliance Key Manager Solution Brief

University of Liverpool

What are the PCI DSS requirements? PCI DSS comprises twelve requirements, often referred to as the digital dozen. These define the need to:

PCI Data Security Standards (DSS)

Credit Cards and Oracle: How to Comply with PCI DSS. Stephen Kost Integrigy Corporation Session #600

White Paper On. PCI DSS Compliance And Voice Recording Implications

Understanding the Role of Hardware Data Encryption in EMV and P2PE from the CEO s Perspective

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

Self-Encrypting Hard Disk Drives in the Data Center

paypoint implementation guide

MANAGED FILE TRANSFER: 10 STEPS TO PCI DSS COMPLIANCE

Cyber-Ark Software and the PCI Data Security Standard

BANKING SECURITY and COMPLIANCE

for BreaktHrougH HealtHcare SolutIonS

CACHÉ: FLEXIBLE, HIGH-PERFORMANCE PERSISTENCE FOR JAVA APPLICATIONS

SecureTrack. Securing Network Segments and Optimizing Permissive Rules with the Automatic Policy Generator.

Josiah Wilkinson Internal Security Assessor. Nationwide

Credit Card Security

Voltage SecureData Web with Page-Integrated Encryption (PIE) Technology Security Review

Recurring Credit Card Billing

Accelerating PCI Compliance

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

Payment Card Industry (PCI) Policy Manual. Network and Computer Services

Simplifying Payment Card Industry Compliance

PDQ Guide for the PCI Data Security Standard Self-Assessment Questionnaire C (Version 1.1)

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version to 2.0

PCI PA-DSS Requirements. For hardware vendors

PCI COMPLIANCE GUIDE For Merchants and Service Members

Information Technology

A8.700 TREASURY. This directive applies to all campuses of the University of Hawai i.

Achieving PCI Compliance Using F5 Products

PCI v2.0 Compliance for Wireless LAN

Healthcare Compliance Solutions

Payment Application Data Security Standard

PCI Data Security and Classification Standards Summary

Securing Data on Portable Media.

COLORADO STATE UNIVERSITY Financial Procedure Statements FPI 6-6

Point Secure Commerce Application (SCA) 2.x PCI PA-DSS Out of Scope White Paper

Point-to-Point Encryption (P2PE)

Passing PCI Compliance How to Address the Application Security Mandates

Protecting Cardholder Data Throughout Your Enterprise While Reducing the Costs of PCI Compliance

Compliance and Security Challenges with Remote Administration

AUTOMATING AUDITS AND ENSURING CONTINUOUS COMPLIANCE WITH ALGOSEC

PCI Training for Retail Jamboree Staff Volunteers. Securing Cardholder Data

Maintaining PCI-DSS compliance. Daniele Bertolotti Antonio Ricci

understanding SSL certificates THAWTE IS A LEADING GLOBAL PROVIDER OF SSL CERTIFICATES

BMC BSM for PCI DSS Addressing PCI DSS File Integrity Monitoring SOLUTION WHITE PAPER

Vormetric and PCI Compliance in AWS A COALFIRE WHITE PAPER

A Whitepaper by Vesta Corporation. Payment Card Industry Data Security Standards (PCI DSS) and Mobile Operators: Trends and Implications

Tokenization Amplified XiIntercept. The ultimate PCI DSS cost & scope reduction mechanism

VESTA CORPORATION WHITEPAPER Payment Card Industry Data Security Standards (PCI DSS) and Mobile Operators: Trends and Implications

SQL Server Encryption Overview. September 2, 2015

Frequently Asked Questions

How To Achieve Pca Compliance With Redhat Enterprise Linux

5 TIPS TO PAY LESS FOR PCI COMPLIANCE

Meeting Technology Risk Management (TRM) Guidelines from the Monetary Authority of Singapore (MAS)

HOW INTERSYSTEMS TECHNOLOGY ENABLES BUSINESS INTELLIGENCE SOLUTIONS

A Standards-based Approach to IP Protection for HDLs

Thoughts on PCI DSS 3.0. September, 2014

The CIO s Guide to HIPAA Compliant Text Messaging

Benefits of Integrated Credit Card Processing Within Microsoft Dynamics GP. White Paper

PCI DSS Requirements - Security Controls and Processes

Credit Card Handling Security Standards

CyberSource Payment Security. with PCI DSS Tokenization Guidelines

Understanding SSL Certificates THAWTE IS A LEADING GLOBAL PROVIDER OF SSL CERTIFICATES

Worldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS)

How To Reduce Pci Dss Scope

Oracle Database Security and Audit

Payment Card Industry Data Security Standard (PCI DSS)

Transcription:

USING INTERSYSTEMS CACHÉ FOR SECURELY STORING CREDIT CARD DATA Andreas Dieckow Principal Product Manager InterSystems Corporation

USING INTERSYSTEMS CACHÉ FOR SECURELY STORING CREDIT CARD DATA Introduction In today s world, an ever-increasing number of purchases and payments are being made by credit card. Although merchants and service providers who accept credit cards have an obligation to protect customers sensitive information, the software solutions they use may not support best practices for securing credit card information. To help combat this issue, a security standard for credit card information has been developed and is being widely adopted. The Payment Card Industry (PCI) Data Security Standard (DSS) is a set of guidelines for securely handling credit card information. Among its provisions are recommendations for storing customer information in a database. This paper will outline how software vendors can take advantage of the InterSystems Caché database now and in the future to comply with data storage guidelines within the PCI DSS. Use cases for securing credit card information The best way to ensure the security of information within a database is not to persist (store) it at all. But obviously, enterprises that deal with credit card data must save some information, such as the cardholders names, Personal Account Numbers (PANs), expiration dates, and service codes. The PCI DSS recommends only persisting the minimum necessary amount of cardholder data. When cardholder data must be stored, the PCI DSS requires that (at a minimum) PANs be rendered unreadable in the database and in all journal logs. Exactly how PANs are secured may differ according to the use case. In general, use cases fall into one of two categories: when a credit card is being used purely for veri ication, and when it is being used to pay for goods or services. Using a credit card for veri ication When an application is designed to accept a credit card as a form of identi ication (for example, when someone uses their card to retrieve a record of their airline reservation) it is not necessary for a useable clear-text PAN to be stored at all. According to the PCI DSS, either hashing or truncation may be used to store a version of the PAN that is suf icient for veri ication purposes. Hashing Information is transformed according to a complex algorithm and only the transformed, or hashed, version is stored. The hashing algorithm only works one way it is impossible to uniquely determine the original information from the hashed version. For veri ication purposes, a hashed version of the PAN provided by the cardholder can be compared to the stored hash value. 1

Only a portion of the information is stored. For veri ication purposes, the PAN provided by the cardholder is truncated in the same way and compared to the stored value. In general, truncation provides weaker security than hashing. Using a credit card for payments Applications that accept credit card payments must have access to a usable PAN in order to process a transaction. According to the PCI DSS, there are three acceptable ways of handling PAN information. The PAN is not persisted (stored on disk) at all This scenario might occur, for instance, when someone makes a credit card purchase from an online vendor and checks out as a guest. The card holder must provide the complete PAN each time they make a purchase. The application will use the PAN in memory, but not persist it. (The PCI DSS includes guidelines for securing PANs and other sensitive information in transit, but that is beyond the scope of this paper.) Only a portion of the PAN is stored. The cardholder must provide the missing information that will allow the application to reassemble the PAN in memory. A useable PAN exists only in memory, not on disk. Encryption The PAN is transformed into cipher-text or clear-text according to a complex algorithm, using an encryption key, but only cipher-text is stored. Unlike hashing, encryption allows for two-way transformation. Using the encryption key, the application can decipher the PAN and use it (in memory) to process a credit card transaction. The PCI DSS calls for using strong encryption and re-encrypting information periodically. Also, encryption keys must not be stored in, or tied to, user accounts. How Caché currently enables secure data storage Caché offers a strong, consistent, and high-performance security structure for applications, and is certi ied by Common Criteria. Here is how the current release (Caché 2010) enables applications to securely store data such as PANs: Hashing Caché provides built-in access to several Secure Hash Algorithms (e.g. SHA-1) to hash data. Fully supported, and implemented as part of the application running inside Caché. Database encryption Caché implements the Advanced Encryption Standard (AES) algorithm. 2

With database encryption, the entire database is encrypted using one encryption key. Access to the key is managed by the system, so a user account (i.e., a process) does not hold the database encryption key. All information, including indexes, stored in an encrypted database is protected. Data element encryption Caché allows for individual pieces of information to be encrypted by offering developers access to the encryption suite. Data element encryption is often preferred to store sensitive information, like PANs, because it allows (with the correct provisioning) the re-encryption of data elements, without interruptions to database access. Auditing Caché comes with a robust and tamper-resistant auditing system, which audits all changes to the security model. Application developers can use the same audit database by incorporating calls to the audit system in the application code. Enhancements to the Caché Security Model Because the PCI DSS is widely used, Caché includes several changes speci ically designed to make it easier to build applications that comply with the standard. These enhancements, available in Caché 2011, are mainly concerned with the key management used by data element encryption. Managed keys With this enhancement, the encryption key material used for data element encryption is securely held by the system, by storing it in the same protected memory location as the database encryption key. Applications will refer to individual encryption keys using a unique KeyID, therefore eliminating direct access to the key material itself. To make things easier for developers, when this new method of data element encryption is used, the KeyID is embedded in the resulting cipher-text. This enables the decryption process to automatically identify the key that was used to encrypt the data. The new managed key system supports several such keys in addition to the database encryption key. This will make it easy for application developers to satisfy re-encryption requirements in real time and with virtually no impact to the performance of the deployed application. Conclusion The PCI DSS is being adopted by merchants and service providers around the world who need to securely handle credit card information. Application providers need to make sure their solutions are compliant with this standard. InterSystems Caché gives developers the ability to build applications that comply with the PCI DSS. Enhancements included in Caché 2011 will make that task even easier. 3

InterSystems Corporation World Headquarters One Memorial Drive Cambridge, MA 02142-1356 Tel: +1.617.621.0600 Fax: +1.617.494.1631 InterSystems.com InterSystems Ensemble and InterSystems Caché are registered trademarks of InterSystems Corporation. InterSystems DeepSee and InterSystems HealthShare are trademarks of InterSystems Corporation. Other product names are trademarks of their respective vendors. Copyright 2011 InterSystems Corporation. All rights reserved. 2-11

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information