Our 12 Days of Tips series explores how small retailers can ACT now to repel data thieves during this prime shopping season. Awareness, Checking security controls and Testing security now will help your business lock down your systems during the holiday rush.
Merchants looking for more information on how to secure customer payment data should visit the PCI SSC merchant site.
Protecting Cardholder Data with Encryption
Encryption is one of many ways you can use to protect cardholder data (i.e. primary account numbers (PAN), cardholder names, service codes, expiration date) as you enter the busy holiday shopping season.
Encryption is based on cryptography using a math formula to make plaintext data unreadable to people without special knowledge. It makes stolen data look like a jumbled, useless mess.
Specifically, point-to-point encryption (P2PE), is built into payment processing solutions for small merchants like you and provides the strongest encryption protections for your business, so you don’t have to worry about data being stolen between your store and the bank.
Other types of strong data protection methods for cardholder data and sensitive authentication data that resides in a card’s magnetic stripe, include tokenization, masking, hashing, and truncation.
Many payment solutions will automatically apply strong protection to cardholder data that is processed in a transaction, transmitted to a merchant bank, or stored in a computer.
Here are three guidelines for using encryption or other types of data protection.
1. Limit storing cardholder data. Limit retention time of stored data to that required for business, legal, and/or regulatory purposes. Purge stored cardholder data at least quarterly.
2. Mask PAN when displayed. Consider masking (not showing) the full PAN on your point-of-sale display and printed receipt. Instead, show no more than the first six and last four digits; showing fewer digits is even better. This prevents sales clerks and other unauthorized people from stealing the full PAN. Note that some laws and/or payment brand rules may set stricter requirements for displays of cardholder data on receipts – check with your merchant bank.
3. Use encryption or other strong data protection for stored PAN. Never store cardholder data unless it’s absolutely necessary for a valid business reason, and make sure that if you do need to store it, that you encrypt it or otherwise protect it. Never store sensitive authentication data after authorization of the payment transaction.
For help using encryption or other types of data protection, consult the person who installed your network and payment system.
Resources that can help you:
Merchants looking for more information on payment security essentials should start here: