\r\nUnderstanding the Card Data Environment
\r\n\r\nOne of the biggest changes in version 4.0 is that it acknowledges protection methods outside of routers and firewalls. The CDE was once a straightforward physical database where customer information was stored. Transparent data encryption (TDE) was commonly used to protect data written into a disc or in transit. This is an important update, as the CDE is now virtual and exists anywhere a credit card is being used — from a consumer making an online purchase to a point-of-sale exchange. PCI DSS defines the CDE in the following ways:
\r\n\r\nA merchant can avail themselves of responsibility as much as possible by outsourcing all access to the card data to third-party providers, but the last item of the CDE definition means that the merchant environment is still in-scope and must attest that they don’t have any access to the data and that the third-party providers are PCI compliant. This makes sense, as the merchant will suffer the consequences of customer and government angst in the case of a breach regardless of whether it is directly the merchant’s fault or not.
\r\n\r\nNow, let’s move on to specific scenarios to protect data under PCI DSS 4.0.
\r\n\r\nIn a typical card transaction, processed sensitive account data is generally in the clear only for a few seconds, but the prevalence of illegal point-of-sale card readers has made it easy for criminals to steal that information. Additionally, some merchants — often e-commerce sites — would store customer information in memory and delete it in batches daily, leaving swaths of data in the clear for extended periods. This practice is prohibited by PCI DSS.
\r\n\r\nSatisfying PCI DSS: Merchants must encrypt data immediately while waiting for payment. Depending on the situation, data can be encrypted in a number of ways. First, secure sockets layer/transport layer security (SSL/TLS) protocols create secure communication between the point of sale and the processor/payment gateway. Point-to-point encryption (P2PE) and end-to-end encryption (E2EE) are slightly different methods that encrypt data throughout the payment process, starting at the point-of-sale terminal. Finally, tokenization, which replaces real data values with tokens, is used when data must be stored and used for future transactions.
\r\n\r\nEncryption’s effectiveness as a best-in-class protection method comes from the keys. Data can’t be accessed without the keys, but organizations didn’t own them for many years. It doesn’t do any good to encrypt your data if the keys are easy to access. Under PCI DSS 4.0, organizations will be non-compliant if the keys are outside their control.
\r\n\r\nSatisfying PCI DSS: In recent years, we’ve seen more cloud providers offer bring your own key (BYOK) technology to users, giving them complete control over encryption keys. With BYOK, there is a two-tier method where organizations own customer-managed keys (CMK), which never leave their respective system. The CMK is used to encrypt the data encryption key (DEK), which is then used to encrypt the data. The encrypted DEKs are stored in a database of the user’s choosing. And should the company decide to end a relationship with its cloud service provider, the keys are destroyed.
\r\n\r\nPre-production environments, also called “lower environments,” refer to any test, development, or DevOps environment where the production environment may be simulated. Traditionally, vast amounts of unprotected data were copied and shared with many people working in pre-production environments — which, under the new PCI DSS mandate, is a compliance issue.
\r\n\r\nSatisfying PCI DSS: Traditional encryption is an option, but format-preserving encryption (FPE) is preferred since the data type and length are preserved. The duplicated data is simply double-encrypted, but the keys for both layers of encryption are within the common data environment, ensuring that the original data is not available in the pre-production environment.
\r\n\r\nProtecting credit card data is undoubtedly a challenge as compliance regulations become more stringent. However, PCI DSS has given organizations a lengthy on-ramp to implement best-in-class protection methods to keep customer information safe and avoid non-compliance. The time to start working toward this new reality is now.
\r\n\r\n— Billy VanCannon, Director of Product Management, Baffle
\r\n","imageSrcset":{"src":"https://assets1.risnews.com/styles/max_width_480/s3/2023-09/credit_card_267762461.jpg?itok=DjmjpzE6 480w, https://assets1.risnews.com/styles/max_width_640/s3/2023-09/credit_card_267762461.jpg?itok=8EKUY9iv 640w, https://assets1.risnews.com/styles/max_width_800/s3/2023-09/credit_card_267762461.jpg?itok=Wo7ARGf- 800w","sizes":"(min-width: 1300px) 375px, (min-width: 920px) 28vw, (min-width: 720px) 50vw, 100vw"},"imageCaption":null,"imagePosition":"right","imageAdvertisement":false,"imageSize":"large","imageLink":"","imageExpandable":false,"fullSizeImage":{"id":48914,"alt":"credit card security","width":6000,"url":"https://assets1.risnews.com/styles/max_width_800/s3/2023-09/credit_card_267762461.jpg?itok=Wo7ARGf-","height":4000}},{"id":37428,"bundle":"topic_content","heading":"More Like This","terms":[{"id":126,"name":"Security"}],"items":[{"id":24156,"bundle":"article","title":"Retailers and Prosecutors are Walking Together to Fight Retail Crime ","url":"/retailers-and-prosecutors-are-walking-together-fight-retail-crime","summary":"Through an initiative led by the Retail Industry Leaders Association (RILA) and the National District Attorneys Association (NDAA), district attorneys are meeting with local retailers across the U.S. in an interesting way, with the goal of addressing retail crime. Learn how.","teaserImage":{"url":"https://assets1.risnews.com/styles/secondary_articles_short/s3/2023-10/target_bernalillo_0.jpg?h=adef4f31&itok=Gw5Va_Dx","width":500,"height":283,"alt":"image"}},{"id":24148,"bundle":"article","title":"4 Tips for Retailers During Cybersecurity Awareness Month","url":"/4-tips-retailers-during-cybersecurity-awareness-month","summary":"October is the 20th Cybersecurity Awareness Month, a month dedicated to enhancing cybersecurity awareness. In that spirit, here are four tips for retailers on how they should increase their cybersecurity posture leading up to the busiest shopping season of the year. \r\n","teaserImage":{"url":"https://assets1.risnews.com/styles/secondary_articles_short/s3/298e882e99ff912ec29e.jpg?h=030066a8&itok=RMQD81Gv","width":1300,"height":557,"alt":null}},{"id":24099,"bundle":"article","title":"Store Closures and Security Ramp Ups: Target Takes Hit From Rise in Retail Crime","url":"/store-closures-and-security-ramp-ups-target-takes-hit-rise-retail-crime","summary":"Retail theft news has flooded headlines this year, quickly becoming a top concern for enterprises who are looking to keep consumers safe and products safeguarded from pilfering. Amongst the companies being impacted are popular hypermarkets, with Target being the latest to take a hit.","teaserImage":{"url":"https://assets1.risnews.com/styles/secondary_articles_short/s3/2023-09/target_store.jpg?h=f3b9e3ec&itok=O2Qg6R8R","width":960,"height":534,"alt":"Target store"}}]}]}}; const country = "HK"; const language = "en, *"; const SITE_LANGUAGE = "en"; const siteName = "RIS News"; const userRoles = ["anonymous"]; const userUid = 0; const indexName = "risnews"; window.dataLayer = window.dataLayer || []; const data = {}; data.entityTaxonomy = {}; const contentTypes = [ "article", "blog", "bulletin", "embed_page", "landing_page", "event", "image", "page", "product", "whitepaper", "video", "tags", ]; if ( routeInfo && "bundle" in routeInfo && contentTypes.includes(routeInfo["bundle"]) ) { data.entityBundle = routeInfo.bundle; data.entityTitle = `${routeInfo.title} | ${siteName}`; data.entityId = routeInfo.id; data.entityName = routeInfo.author?.uname; data.entityCreated = routeInfo.created; data.sponsored = routeInfo.sponsored; data.sponsor = routeInfo.sponsoringCompany; data.entityType = "node"; data.entityLangcode = SITE_LANGUAGE; data.siteName = siteName; data.drupalLanguage = language; data.drupalCountry = country; data.userRoles = userRoles; data.userUid = userUid; data.entityTaxonomyKeys = {}; data.entityTaxonomyHierarchies = {}; data.parentNaicsCode = {}; data.isPro = false; data.algoliaIndexName = indexName; // Add toxonomy data const taxonomies = { businessTopic: "business_topic", contentType: "content_type", company: "company", marketSegment: "market_segment", }; const getHierarchy = (term, terms = []) => { terms.push({ id: term.id, name: term.name }); if (term.parentTerm != null) { getHierarchy(term.parentTerm, terms); } return terms; }; const getTerms = (term, useApiId = false) => { return { id: useApiId ? term.apiId : term.id, name: term.name }; }; const getKeys = (term) => { return { id: term.id, name: term.apiId }; }; Object.entries(taxonomies).forEach(([key, item]) => { terms = routeInfo[key]; if (terms && terms.length > 0) { data["entityTaxonomy"][item] = terms.map((term) => getTerms(term, key === "company") ); if (key !== "company") { data["entityTaxonomyKeys"][item] = terms.map(getKeys); termGroups = []; terms.forEach((term, termInd) => { termGroups[termInd] = getHierarchy(term); }); data["entityTaxonomyHierarchies"][item] = termGroups; } } }); data["entityTaxonomy"]["tags"] = routeInfo["topics"] || []; // Primary Topic is either the business topic or the top tag. if (routeInfo["businessTopic"]?.length > 0) { data["entityPrimaryTopic"] = routeInfo["businessTopic"][0]["name"]; } else { if (routeInfo["topics"]?.length > 0) { data["entityPrimaryTopic"] = routeInfo["topics"][0]["name"]; } } // Primary and secondary entityNaicsCodes come from the MarketSegment if (routeInfo.marketSegment?.length > 0) { data.entityNaicsCode = {}; data["entityNaicsCode"]["id"] = routeInfo["marketSegment"][0]["id"]; data["entityNaicsCode"]["name"] = routeInfo["marketSegment"][0]["naicsCode"]; if (routeInfo["marketSegment"][0]["parentTerm"] != null) { data["parentNaicsCode"]["id"] = routeInfo["marketSegment"][0]["parentTerm"]["id"]; data["parentNaicsCode"]["name"] = routeInfo["marketSegment"][0]["parentTerm"]["naicsCode"]; } } else { data.entityNaicsCode = []; } if (routeInfo.taggedPro) { data.isPro = routeInfo.taggedPro; } window.dataLayer.push(data); } else if (routeInfo && "vid" in routeInfo) { data.entityBundle = "tags"; data.entityTitle = routeInfo.name; data.entityId = routeInfo.id; data.entityName = routeInfo.author?.uname; data.entityCreated = routeInfo.created; data.entityType = "taxonomy_term"; data.entityLangcode = SITE_LANGUAGE; data.siteName = siteName; data.sponsored = routeInfo.sponsored; data.sponsor = routeInfo.sponsoringCompany; data.drupalLanguage = language; data.drupalCountry = country; data.userRoles = userRoles; data.userUid = userUid; data.algoliaIndexName = indexName; data["entityTaxonomy"]["tags"] = { id: routeInfo["id"], name: routeInfo["name"], }; window.dataLayer.push(data); } })();