Overview
On June 30th, 2005, the major credit card providers in North America, including Visa, MasterCard, American Express and Discover, developed the Payment Card Industry Data Security Standard (PCI DSS) to enhance payment account data security. This 12 point standard is enforced by credit card providers and the banks that provide credit card services to businesses of all sizes. Compliance with the PCI DSS is required for all links in the credit card chain - merchant, processor, acquirer and the service providers that service these businesses, such as software developers, third party network managers and hosting companies. Besides PCI compliance, many retailers and e-commerce providers are also subject to other industry regulations, in particular national and local privacy laws.
Do you:
- Have an encryption process in place that addresses each of the 20 subsections of PCI DSS?
- Need a separate device to off-load intense cryptographic processing from busy servers?
- Have a key management and rotation system?
- Need a solution built for your business, large or small?
PCI DSS is a stringent data encryption standard and a great place to start for any organization that stores sensitive data, such as employee and client records. Talk to the experts at Dark Matter Labs about your specific encryption needs.
Cost of Non-Compliance
The major card associations are serious about enforcing PCI standards and the penalties can be severe. The following consequences can result from businesses who fail to comply with the requirements, fail to report a compromise or who fail to rectify identified security issues.
- Possible fines up to $500,000 per incident;
- Possible operating restrictions placed on merchants, including loss of merchant privileges;
- Penalties resulting from violations of other federal or state laws, including privacy legislation;
- Loss of consumer confidence due to negative media fallout.
How Dark Matter Labs can Assist with Compliance
The JANA line of encryption devices were developed by Dark Matter Labs to exceed the demanding standards of PCI - performing several times faster than existing encryption devices, while integrating with all database types and having a smaller physical and eco-footprint. Smart. Fast. Efficient.
We work closely with businesses and organizations, their Chief Security Officers, and security professionals to implement business-wide encryption solutions that identify and encrypt all data required by law and other business needs. Regardless of your data-encryption needs and business architecture, we can help; and we'd enjoy hearing from you.
We can help in the following ways:
- Identification of vulnerable data and correlation with PCI requirements;
- Assessment of existing network infrastructure and ideal implementation of encryption solutions;
- Installation of enterprise-wide encryption solutions;
- Training on installed solutions; and
- Comprehensive, on-going customer support.
PCI Requirements to Look for in an Encryption Solution
The following table lists the requirements of Section 3 (Encryption) of the PCI Standard, the subsection and how Dark Matter Lab's products exceed these requirements.
| PCI Requirement | Subsection | Dark Matter Lab's Solution |
| Render credit card numbers unreadable in all stored locations | 3.4 | Our appliances provide unbreakable column-level or file-level encryption of stored credit card information |
| Generation of Strong Keys | 3.6.1 | Our easy-to-use key management interface ensures this requirement is met with minimal effort |
| Secure Cryptographic Key Distribution & Storage | 3.6.2 & 3.6.3 |
The Jana appliances securely control, store and distribute ALL cryptographic keys thereby removing the requirement for administrators to distribute keys across multiple systems |
| Periodic Cryptographic Key Rotation, annually at minimum | 3.6.4 | Our industry-unique non-invasive key rotation function allows businesses to rotate all of their cryptographic keys in minutes without ever having to interact with any stored data |
| Retirement of old or compromised keys | 3.6.5 | Our easy-to-use key management interface ensures this requirement is met with minimal effort |
| Split-knowledge & dual control of cryptographic keys | 3.6.6 | The Jana key management interface allows any number of key custodians to share control over crypto keys |
| Prevention of unauthorized substitution of keys | 3.6.7 | The Jana key management interface will alert key custodians of all modifications to crypto keys and supports logging to centralized servers for monitoring |
Other core requirements of PCI which we have built into all of our encryption solutions include:
| PCI Requirement | Subsection | Dark Matter Lab's Solution |
| Maintain firewall to protect cardholder data | 1 | Jana's built-in firewall provides excellent configurability over access controls & logging |
| Enforce strong password usage policies | 2.1 | Our encryption suite requires strong passwords for system access and during all phases of the key management life-cycle |
| Develop configuration standards for all system components | 2.2 & 6 |
Our technologies adhere closely to the development guidelines maintained by SANS, NIST, CIS, OWASP, and others |
| Implement only ONE primary function per server | 2.2.1 | While there are MANY good operational reasons to use a separate appliance-based encryption solution, PCI also strongly favors the segmentation of encryption (as a primary function) from other servers (such as web, app, or db). This indicates an appliance-based solution may be preferable to software-based encryption |
| Disable all unnecessary protocols and services | 2.2.2 | The JANA operating system and application contains no unnecessary or exploitable protocols or services (such as FTP) |
| Encrypt all console non-admin access & transmission of cardholder data across open, public networks | 2.3 & 4.1 |
All communications with the Jana appliances are encrypted via SSL/TLS |
| Restrict access to cardholder data by business need-to-know | 7 | Our sophisticated key management interface provides comprehensive & flexible access controls & access logging |
| Assign a unique ID to all users with system access | 8 | The Jana appliances combine a complaint ID/Password authentication mechanism with comprehensive access logging |
| Restrict physical access to cardholder data | 9 | The Jana appliances are designed to work within an organization's physical security program. They are also physically locked-down to prevent physical console access and include tamper-evident mechanisms |
| Track & monitor all access to cardholder data | 10 | As mentioned, the Jana appliances incorporate sophisticated logging features and remote logging |
| Regularly test security systems | 11 | At Dark Matter Labs we regularly and intensely test our encryption technologies so that you don't have to. All of our appliances include algorithm self-test capabilities for your peace of mind |
Please review this recently commissioned, independent PCI Whitepaper for more information
Key Regulations & Legislation
For more details concerning PCI standards and timelines, try the following sites:
- PCI Security Standards Council - This is the 5 organization member council (VISA, MC, Discover, AMEX, JCB) that created and maintains the PCI Standard
Related Industries
- Privacy - Privacy laws are ubiquitous and affect business everywhere.
