Comply with Encryption, Key Management and Logging Requirements of the PCI DSS (Payment Card Industry Data Security Standard)

nuBridges offers software solutions to bring you into compliance with the encryption, encryption key management and logging provisions of the Payment Card Industry Data Security Standard. Join the many prominent brands that trust nuBridges Protect™ software to encrypt billions of credit card transactions, centrally manage the associated encryption keys throughout their lifecycle and pass audits.

While PCI DSS compliance covers a broad set of requirements to assure that merchants meet minimum levels of security, encryption is one of the most powerful elements of the standard. Why?

If credit card information is encrypted at rest and in motion, and the keys are adequately protected, even if a breach occurs, it’s a non-event (and doesn’t need to be reported!) – the thieves have taken gibberish.

Whether you’re in the retail, insurance, banking, brokerage, education, hospitality, entertainment, healthcare or transportation business; nuBridges can make it easier to comply with PCI DSS – and protect your brand using best practices for securing data at rest and in transit.

“nuBridges has proved to be more than just a software company. They have been a valuable partner in developing a secure eBusiness strategy for our company.”

 “Their knowledge of PCI compliance combined with the company’s technical solutions has allowed us to quickly establish a framework that will protect our customers and meet our compliance objectives.”

Bernie Rominski, IT Security Officer, Regis Corporation

nuBridges is also an ideal choice for software application vendors who are getting pressure from their customers to demonstrate compliance with the Payment Application Security Mandates that kicked-in in 2008.

Tokenization Option Reduces PCI DSS Audit Scope

One of the data protection methods offered by nuBridges Protect™ is tokenization.  This method reduces the number of places where encrypted data is stored within an enterprise, eliminating points of risk and reducing audit scope.

When you undergo a PCI DSS audit, all of the systems, applications and processes that have access to credit card information (unencrypted or encrypted) are considered "in scope."  However, if you substitute tokens for the credit card information, and the systems, applications and processes never require access to the token's underlying value, then they are out of scope and do not need to meet PCI DSS compliance requirements.

Because you can format tokens in any manner you wish, this enables you to, for example, render a customer service application and all of its processes as "out of scope."  A typical customer service function answers billing questions and requires access to only the last four digits of a credit card number.  If you format the token in this manner, and do not provide the customer service applications or people with any access to the token server, then the entire function is out of "scope."  This offers significant financial and practical benefits to many organizations.

Designed to Pass PCI DSS Compliance Audits

At nuBridges we take responsibility for monitoring the PCI DSS standard and building ongoing compliance into our products. As a participating organization on the PCI Data Security Council, we take an active role in reviewing and recommending changes to the PCI DSS. This involvement enables us to help our customers pass their annual security audits and maintain PCI compliance year after year.

Auditors perform a gap analysis across your information supply chain to identify where credit card data resides throughout the process and assess if it is protected in compliance with the PCI DSS.

Simply encrypting data is not enough to pass PCI DSS audits. The mandates require that keys are rotated (at least) annually, and specify how keys need to be handled (unsafe keys equal unsafe data). Most home-grown or simple encryption solutions don’t support compliant encryption key lifecycle management. nuBridges has it all covered.

Another reason organizations fail audits is because they do not have a DMZ buffer zone between computers that contain credit card numbers and external systems that exchange information with those computers for any reason. Under PCI DSS, it is not acceptable to transmit information to business partners from an internal computer that contains credit card data. This is meant to protect that credit card data from theft.

While it is standard practice for encryption solutions to protect data at rest, only nuBridges also protects data in motion—data that is being transmitted between, for example, a point-of-sale system to the store network server and back to corporate headquarters.

nuBridges solutions integrate with numerous point of sale, loss prevention & fraud detection, enterprise logging, merchandizing, customer relationship management and loyalty information systems to protect data at rest and in motion.

Background

If you process, store or transmit credit card numbers, you must comply with the requirements of the PCI DSS or risk fines and revocation of your ability to process credit card payments.

The PCI DSS was developed by a coalition of credit card companies that founded the PCI Security Standards Council, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa. Its goal is to help organizations proactively protect customer credit card data using measures that are consistent on a global basis. Larger merchants and payment card service providers must validate their compliance with the PCI DSS periodically via Qualified Security Assessors (PCI Security Council-approved auditors). Smaller merchants are allowed to perform a self-assessment questionnaire describing the protections they have in place.

Today, nuBridges is an active member of the PCI Security Standards Council so that we have early visibility into changes in the PCI DSS requirements, and proactively enhance our products to keep our customers compliant.

The PCI DSS comprises 12 mandates clustered into 6 subject areas. The checkmarks indicate areas where nuBridges can help:

Build and Maintain a Secure Network	1	Install and maintain a firewall configuration to protect cardholder data
	2	Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data	3	Protect stored cardholder data
	4	Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program	5	Use and regularly update anti-virus software
	6	Develop and maintain secure systems and applications
Implement Strong Access Control Measures	7	Restrict access to cardholder data by business need-to-know
	8	Assign a unique ID to each person with computer access
	9	Restrict physical access to cardholder data
Regularly Monitor and Test Networks	10	Track and monitor all access to network resources and cardholder data
	11	Regularly test security systems and processes
Maintain an Information Security Policy	12	Maintain a policy that addresses information security

nuBridges also offers complementary solutions for managed file transfer to protect all your sensitive data in motion – because all industries are getting better at protecting data at rest, thieves are targeting data in transit. nuBridges can provide end-to-end protection for your data at rest and in transit. More specifically, nuBridges Exchange™ helps you meet the PCI DSS requirement to protect credit card data in transit by creating a DMZ buffer zone between the Internet and your internal systems.