As small and medium businesses begin to re-open following the pandemic, it’s important to do so securely in order to protect customer’s payment card data. Too often, data breaches happen as a result of vulnerabilities that are entirely preventable. The PCI Security Standards Council (PCI SSC) has developed a set of payment protection resources for small businesses. In this 8-part back-to-basics series, we highlight payment security basics for protecting against payment data theft. Today’s blog focuses on using encryption to make payment data unreadable.
The best way to keep payment data safe is to make it useless even if it’s stolen and remove it altogether when it’s not needed. Encryption is one way to protect payment card data by making it useless if stolen by criminals. Encryption is based on cryptography using a math formula to make plaintext data unreadable to people without special knowledge. It makes stolen data look like a jumbled, useless mess.
PCI P2PE solutions guarantee the strongest encryption protections for your business. Ask your vendor whether your payment terminal encryption is done via a Point-to-Point Encryption solution and is on the PCI SSC’s List of PCI P2PE Validated Solutions.
Here are three guidelines for using encryption or other types of data protection:
- Limit storing cardholder data: Limit retention time of stored data to that required for business, legal, and/or regulatory purposes. Purge stored cardholder data at least quarterly.
- Mask PAN when displayed: Consider masking (not showing) the full PAN on your point-of-sale display and printed receipt. Instead, show no more than the first six and last four digits; showing fewer digits is even better. This prevents sales clerks and other unauthorized people from stealing the full PAN. Note that some laws and/or payment brand rules may set stricter requirements for displays of cardholder data on receipts – check with your merchant bank.
- Use encryption or other strong data protection for stored PAN: Never store cardholder data unless it’s absolutely necessary for a valid business reason, and make sure that if you do need to store it, that you encrypt it or otherwise protect it. Never store sensitive authentication data after authorization of the payment transaction.
For help using encryption, or other types of data protection, consult the person who installed your network and payment system.
Read this resource for more information on PCI P2PE Solutions: Point-to-Point Encryption (P2PE) Solutions for Merchants.
For more guidance on payment security best practices, read the PCI SSC Guide to Safe Payments.