White Papers for Federal Financial Institutions Examination Council (FFIEC)

PCI Data Protection

Tizor

With the severity of recent data breaches, anxiety in the security and compliance community has reached a new high. Questions are being asked about what it means to be PCI compliant, particularly in the context of protecting data from data breaches. This white paper describes two PCI requirements for cardholder data protection: data auditing and data encryption. As mandated by PCI 10, data auditing should provide for detailed monitoring of all access to the card holder as well as alerting on potential data theft. As mandated by PCI 3, data encryption should be used to render cardholder data unreadable to anyone who is not authorized.
While these two capabilities are distinct, they can be synergistic. In fact, since encryption is not easy to implement, the PCI standard recommends using data auditing as a light-weight substitute to encryption. Alternatively, if encryption already exists, data auditing can help continually audit and ensure the effectiveness of data encryption. This white paper describes these recommendations
in more detail in order to help PCI practitioners make appropriate choices. The ultimate goal of PCI data protection implementation is to ensure PCI compliance as well as enable a robust set of protection techniques that can safeguard against data breaches.

View the White Paper

Share or bookmarklet this web page at: