The PCI DSS requires that you, the merchant, be responsible for the protection of your customers’ personal information. Encryption is a process by which plain text information is encoded by an algorithmic equation into an unreadable format. It can only be translated back, or decrypted, into plain text by using the proper “decryption key” known only to the merchant and their processor. Merchants and processors should be using an industry approved and lab certified encryption algorithm.
Encryption of sensitive authentication data is essential for becoming PCI compliant and for maintaining PCI compliance. It is so important for any transmitted or stored data be encrypted, that it may be the single most effective protection you have against loss of data from theft. Any data that is stored or transmitted must be encrypted at the moment of data capture for airtight protection. Data that should be encrypted includes (but is not limited to): the cardholder’s PAN (primary account number) a.k.a. the card number, and any other magnetic stripe data on all tracks. When data is encrypted immediately upon receipt, prior to storing or transmitting, we call that “end to end encryption.” This prevents information from being stored or transmitted in plain text where it might be vulnerable to interception by computer hackers. If encrypted information is gleaned from a transmission, or stolen from a database, it is useless to the hacker.
The unfortunate reality is that, as of yet, no encryption algorithm is infallible. But properly employed, only the most knowledgeable and experienced thieves possess the tools and know-how to circumvent the algorithm and break the encryption. Proper key management will also limit the amount of information a broken encryption a thief can translate. The PCI DSS stipulates that all encryption keys should be review and updated every six months at a minimum. Reviewing and updating encryption keys more frequently than that lends additional protection. Since more frequent key code updates shrink the set of information that key allowed access to, you can control how much information each key will decrypt.
For more on this and other techniques for protecting your customers and, in doing so, yourself, go to our home page and find out how to become PCI compliant. Following the requirements set forth in the PCI DSS and maintaining your PCI compliance is your best protection against data loss due to theft. This site will show you how to become PCI compliant for free.