Encryption: What is it and How Does it Protect My Credit Card Information?
Thieves break into homes because they believe there is something of value on the other side of the locked door. Computer hackers have the same motivation. They believe there is something of value on the other side of the firewalls.
In today’s Wild West Web World, international hackers are gaining access to troves of personal information, financial data, and military secrets. It is no longer enough to secure data in transit, devise complex passwords, insulate web servers with multiple firewalls, and monitor all traffic. More must be done to prevent malicious activity from destroying your credit and credibility.
A few years ago, while I was researching what else could be done to secure our data, a well-known security expert told to me that, while all should be done to prevent the amateur data thief from easily stealing your data, preventing a determined hacker from accessing your system requires extreme measures. During our discussion, he reiterated that hacking attempts are commonplace, but in the unlikely event that they are successful, “what will the criminals find once they get through?”
The Payment Card Industry Security Standards Counsel (PCI SSC) requires all entities that store, process, or transmit cardholder data use encryption tools and methods to protect that information. Encryption can be defined as the process of obscuring information to make it unreadable without special knowledge, key files, and/or passwords. It is the process of converting information or data into a code to prevent unauthorized access. Interestingly, one of the earliest documented instances of encryption appears in a Mesopotamian cuneiform tablet in which the recipe for pottery glaze was camouflaged.
The PCI SSC recommends the following precautions for securing credit card information at rest:
- Your data is secured at a website that uses encryption tools to encode and thus mask sensitive data stored on the server. There are many tools that can be purchased and implemented to store your data at rest.
- Storage of credit card information. The PCI SSC also requires that stored credit card numbers cannot be viewable in any database of files on the servers used anywhere in the process, and that the CVV (three digits on the back of the card) never be stored in any form.
- Backups and log files. In addition, companies must encrypt backups and log files where credit card information may be stored.
Effective encryption tools scramble all confidential information stored on the servers, not just credit card numbers. This means that if even if a hacker did manage to gain access, all they find is gibberish. Proper multi-level encryption is very expensive but the cost of not encrypting can be far greater.
The large companies that have suffered massive data breaches in the last few years all failed to take these steps. Absent encryption of data at rest, once penetrated, sensitive information was clearly visible. Many of those companies were successfully sued, resulting in millions of dollars paid as compensation and punitive damages. We trust that they have since updated their security profile.
Systems East, the owner/operator of Xpress-pay, takes data security very seriously. We are certified at the highest industry standard (PCI DSS Level One) to ensure that the information we store is as safe as technology allows. We also mandate ongoing staff education and enforce policies, email and other security measures, that help protect our processing environment. We embrace our fiduciary responsibility and will continue to adhere to all standards necessary to protect information that has been entrusted to us.
Listen to last week’s podcast, “Payment Processing: What is PII?”, here.
Take a sneak peek at our next blog article, “Payment Processing: The ePayment Roadmap”, here.
Explore The Knowledge Center library here.