Network Encryption from CipherOptics
 
 
 Company Overview
 Executive Team
 Board of Directors
 Executive Advisory Board
 Newsroom
 In the News
 Industry News
 Trophy Room
 Press Releases
 Careers
 Solutions Overview
 Network Encryption
 MPLS Security
 Metro Ethernet Security
 International Data Protection
 Network Security & Data Protection
 Disaster Recovery
 Point-to-Point Encryption
 Real-time & High-volume Applications
 Secure Information Sharing
 Products Overview
 CipherEngine™
 Security Gateways
 Service Offerings
 Resource Center
 Compliance Overview
 HIPAA Compliance
 Sarbanes-Oxley Compliance
 GLBA Compliance
 CA SB 1386 Compliance
 PCI DSS Compliance
 Basel II Compliance
 FERPA Compliance
 FFIEC Compliance
 ISO 17799 Compliance
 NERC Cyber Security
 Government Overview
 Government Regulations
 FISMA Compliance
 DoD 8100.2 Compliance
 NISPOM Compliance
 DCID 6/3 Compliance
 Government Security News
 10Gig Network Encryption
 Partner Overview
 Strategic Partners
 Resellers
 Technology Partners
 Become a Partner
 Partner Portal Login
 Contact Information
 Web Contact Form
 Support
 
   

Compliance
Quick Links
Secure Information
Sharing
 White Papers
CipherEngine
Resource Center
Compliance Video
Regulatory Compliance Overview Video
Watch the video
Contact Us
1-877-878-6655
info@cipheroptics.com
Request more information

Click here to chat with a CipherOptics representative
Available Monday - Friday
9am - 5:30pm EST
Home > Compliance > VISA PCI Compliance

VISA Payment Card Industry (PCI) Compliance

The new Payment Card Industry (PCI) Data Security Standard outlines best practices for credit card data that is stored, processed, or transmitted. PCI DSS Compliance All major credit card issuers, including Visa, MasterCard, American Express, Diners Club, and Discover, jointly developed PCI. (It consolidates and supersedes the requirements of the previously developed Visa Cardholder Information Security Program (CISP) and the MasterCard Site Data Protection (SDP).) Most merchants are required to comply with this standard.

How does CipherOptics help?
CipherOptics CipherEngine enables Secure Information Sharing, which assures the confidentiality, authenticity, and integrity of data in motion on any network. Our approach to protecting both your network and your data is to deny access to everyone, permit by exception. With that as our driving force, our solutions provide you with both encryption and authentication of all your critical information.

Using powerful 256-bit AES encryption that is approved by the NSA for "sensitive" information, our security solutions authenticate networks and packets and protect data. Using the robust secure hash algorithm (SHA-1), the security gateways verify the integrity of the data, rejecting any packets that have been manipulated or altered. Secure hash can also be used to thwart unauthorized intrusion at the network level. CipherEngine's deterministic firewall feature can reject any packets that lack the proper encryption-based authentication of a trusted endpoint. This effectively turns the local network dark to all unauthenticated traffic from the outside network.

CipherOptics can also help satisfy compliance requirement 3, to "protect stored data." CipherEngine protects all data on your network and authenticates anyone accessing your network; including protection of cardholder data in storage by thwarting intrusion at the network level, not at the storage level. Its deterministic firewall feature can reject any packets that lack proper encryption-based authentication. This effectively turns the storage network dark to all unauthenticated traffic from the network.

Network-wide data protection is an important part of best practices - for keeping customer cardholder data confidential and for complying with PCI Data Security Standards. CipherEngine is a reliable and proven method of ensuring PCI requirements for data confidentiality, integrity, and authentication.

What does CipherOptics do?
CipherOptics is the leader in network-wide encryption. Offering an innovative policy and key management solution, coupled with high speed, low latency encryption technology, CipherOptics helps their customers mitigate the risk of data leakage, loss and theft over any network.

Who is affected by PCI?
All merchants, banks, and service providers that store, process, or transmit cardholder data must comply with the PCI Data Security Standard. This includes virtually every retail concern from the "mom and pop" retail storefront to the giant mega retailers like WalMart. Compliance validation is required for all Visa Merchant Levels 1, 2, and 3 (those processing over 20,000 credit card transactions annually) and may be required for smaller Level 4 merchants.

What are the requirements of PCI?
There are 12 key requirements (listed under 6 categories) that retailers must implement to be compliant:
Build and Maintain a Secure Network:
    1. Install and maintain a firewall configuration
    2. Do not use vendor-supplied defaults
Protect Cardholder Data:
    3. Protect stored data
    4. Encrypt transmission of cardholder data and sensitive information across public networks
Maintain a Vulnerability Management Program:
    5. Use and regularly update anti-virus software
    6. Develop and maintain secure systems and applications
Implement Strong Access Control Measures:
    7. Restrict access to data on a need-to-know basis
    8. Assign a unique ID to each person with access to the computer system
    9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks:
    10. Track and monitor access to network resources and cardholder data
    11. Test security systems and processes on a regular basis
Maintain an Information Security Policy:
    12. Maintain a policy that addresses information security

These security requirements apply to all "system components" which is defined as any network component, server, or application included in, or connected to, the cardholder data environment. Network components include, but are not limited to, firewalls, switches, routers, wireless access points, network appliances, and other security appliances.

What are the penalties for PCI non-compliance?
Merchants that fail to comply with the PCI Data Security Standard face fines of up to $500,000 and loss of the ability to accept credit cards.

In August 2006, only 22% of the major retailers (approximately 290 in the United States) were PCI compliant. An even smaller percentage of mid-size and smaller retailers is compliant.

How do companies comply with PCI?
Encryption is a vital part of PCI compliance. Compliance requirement 4 is to "encrypt transmission of cardholder data and sensitive information across public networks." Companies should think of "public networks" as including shared, leased networks. Although service providers often refer to them as "private line" services, they are not secure. Shared, leased line services separate the data of many customers using the network, but they do not provide data security. Companies must encrypt cardholder data before sending it over third-party networks.

Given the challenges of securing wireless communication, which often involves decryption at the access point, Visa tells merchants to "consider deploying it only for non-sensitive data transmission, or waiting for more secure technology." Compliance with PCI requires end-to-end encryption of wireless transmission of cardholder data and sensitive information.

Companies must not only protect stored data at rest, but PCI compliance requires that stored cardholder data is encrypted when it is sent over network links to back-up storage. Whether it's for continuous data replication or electronic archival, data must be secured when it travels to offsite locations.

Helpful Resources
PCI Security Audit Procedures
 
Copyright 2002-2008 CipherOptics, Inc. | All rights reserved | 1-877-878-6655
Trademark and Legal Notices | Privacy Policy | Site Map