Encryption: What is it and How Does it Protect My Credit Card Information?
Thieves break into homes because they believe there is something of value on the other side of the locked door. Computer hackers have the same motivation. They believe there is something of value on the other side of the firewalls.
In today’s Wild West Web World, international hackers are gaining access to troves of personal information, financial data, and military secrets. It is no longer enough to secure data in transit, devise complex passwords, insulate web servers with multiple firewalls, and monitor all traffic. More must be done to prevent malicious activity from destroying your credit and credibility.
A few years ago, while I was researching what else could be done to secure our data, a well-known security expert told to me that, while all should be done to prevent the amateur data thief from easily stealing your data, preventing a determined hacker from accessing your systems was virtually impossible. During our discussion, he stated simply, “We all will get hacked at some point, but what will the criminals find once they get through all the security measures you have taken?”
The Payment Card Industry Security Standards Counsel (PCI SSC) requires all entities that store, process, or transmit cardholder data use encryption tools and methods to protect that information. Encryption can be defined as the process of obscuring information to make it unreadable without special knowledge, key files, and/or passwords. It is the process of converting information or data into a code to prevent unauthorized access. Interestingly, one of the earliest documented instances of encryption appears in a Mesopotamian cuneiform tablet in which the recipe for pottery glaze was camouflaged.
The PCI SSC recommends the following precautions for securing credit card information at rest:
- Encryption. Your data is secured at a website that uses encryption tools to encode and thus mask sensitive data stored on the server. There are many tools that can be purchased and implemented to store your data at rest.
- Storage of credit card information. The PCI SSC also requires that stored credit card numbers cannot be viewable in any database of files on the servers used anywhere in the process, and that the CVV (three digits on the back of the card) never be stored in any form.
- Backups and log files. In addition, companies must encrypt backups and log files where credit card information may be stored.
Effective encryption tools scramble all confidential information stored on the servers, not just credit card numbers. This means that if hackers do manage to gain access, all they find is gibberish. Proper encryption is quite expensive but the cost of not encrypting is far greater.
The large companies that have suffered massive data breaches in the last few years all failed to take these steps. Absent encryption of data at rest, once penetrated, sensitive information was clearly visible. Many of those companies were sued and paid millions of dollars in compensation and damages. We trust that they have since updated their security profile.
Systems East, the owner/operator of Xpress-pay, takes data security very seriously. We are certified at the highest industry standard (PCI DSS Level One) to ensure that the information we store is as safe as technology allows.
Listen to last week’s podcast, “Payment Processing: What is PII?”, here.
Take a sneak peek at our next blog article, “Payment Processing: The ePayment Roadmap?”, here.
Explore The Knowledge Center library here.