PAN Storage and the PCI DSS

The Tricks of Storing PAN Data

The PAN is an acronym which most people don’t understand its meaning. It stands for Primary Account Number, and it is necessary to protect and safeguard such information. It is obligated by the PCI DSS, to conceal the data, to avoid exposing the customers’ personal information. Storing PAN increases the risks in your business, and if you have not a business reason to store, leave it.

If you have to store PAN data, then you have to comply with the PCI DSS requirements 3.4. This is are policies laid down to guide on safeguarding both the users and the clients. The storage has to be done in a way that the card data is unreadable, through the following methods:

  • One –way hashes based ion strong cryptography
  • Truncation
  • Index tokens and pads
  • Strong cryptography with associated key-management processes and procedures

The following paragraph illustrate the examples of hashing in action.

Card-not-present transaction with card-present verification at time of pick-up:  If you book for a rail ticket online, one is required to produce the real card when collecting the ticket. This is used for verification purposes, to ensure you are the real person who made the ticket request. The kiosk attendant might ask you to insert the card. To avoid storage of PAN data, the rail attendant can choose to store hashed data.

Recurring payment transactions:  Another illustration is in fraud management system that is able to store only has values of PAN data. By storing only hash values of PAN data within the Fraud Management system you are not exposing real PAN data, even to fraud analysts.

How storage of PAN influence the scope of compliance

The only way to save yourself from PCI DSS compliance complication is to evade storage of PAN data. Engaging in this activity would require a lot of validation, to ascertain you’ve really adhered to the set down procedures.

Aligning your business requirements with a reduced PCI Scope

Enhancing security of stored PAN data, is a sophisticated endeavor to engage into. However, if your business has a true need to do so, then it’s worth to get it right.

PCI Compliance

Merchants and Providers PCI Compliance

There has been a tremendous growth of organization which accepts credit cards in their operations. As the changes in technology are witnessed rapidly, the payments methods are also evolving. The surge desire to increases the sales, hence boost revenue has attracted various businesses to embrace the era of cashless payments. Although the convenience of credit cards is by far valuable compared to cash transactions, the number of risks have increased. The cases of frauds involving credit cards and other modes of online payments have hit the media headline, signaling the seriousness of the matter.

Merchants have no clear understanding of their role in preventing any risks associated with payments. They just know they are sellers but have little knowhow of their role in the business. Lack of clear awareness is, further, exposing them to the contrary repercussions that come along with money fraudsters. They should understand their responsibilities well, to abate such cases.

Do You Classify Yourself as a Merchant?

Well, the PCI Security Standards Council (SSC) has placed a definition of the merchant, to eradicate the confusion that might contribute to respective parties understanding their roles. A merchant is defined as the entity which allows transaction using cards that bears the logos of any of the PCI SSC member. Some of those members are American Express, Discover, JCB, MasterCard or Visa. More information concerning the members can be accessed

Merchants should, therefore, adhere to the standards set out by the council. One of the major issues that every trader must be aware of is their service providers. Additionally, the parties involved in service delivery should understand their roles, to avoid breaching the stipulated policies.

Are you a provider of services?

PCI service providers are companies and individuals that are entrusted with processing, storage, and transmission of the customer’s card data. Most of them are not aware of their functions, which places them at a higher end of litigations for negating the security of the clients. This information can be derived from of service providers are hosting, billing account management, back office services among others. These providers are not aware they are service providers.

The Scoop of Responsibilities for Being Both a Merchant and a Service Provider.

Is it possible to be both a provider and a merchant? The question is answered by the PCI Security Standards Council definition. The council highlights that a merchant can accept cards for payments of goods and services and also act as the provider of services by transmitting card data. The definition is backed up by the information derived from the following site:

Building Trust with Customers as a Service Provider

Providing the services to the clients would require great demonstration of quality service, through adherence to the PCI standards. This is not only helpful to the image of the business, but also prevents the owner from the fines by the court. It all begins with validating the PCI Service Provider compliance.

  1. Choose to complete PCI level 1 assessment, which is achieved alongside Quality Security Assessor (QSA).It is meant to ensure that the providers protect the customers’ data to mitigate the cases of leakage.
  2. If one is not able to complete level 1 assessment but qualifies the second level, he or she can take self-assessment, which would require a complete SAQ service provider.
  3. Work with merchants and assist them to meet PCI compliance requirements. The council has provided a document that can be used as a reference to cross check the responsibilities of every party.
  4. Ensure that you appear in the list of Visa Global Registry of Service Providers. This is where the merchants browse to see the authenticity of the providers.

Compliance with PCI is a move to legitimize your business, and improve the perception from the outside world. Every organization should understand its role, and apparently strive to uphold the laid down policies.