Home » Blog

Blog

Posts Tagged with "PCI"

Upcoming Webinar: Focus on FTP Server Compliance

Get Your FTP Server in Compliance

Revised - Watch the Latest Webinar Recording

With the recently added rules for the Healthcare Insurance Portability and Accountability Act (HIPAA) that now holds trading partners and business associates accountable if they also handle patient data, it's a good time to review whether your FTP server is updated and ready to meet compliance requirements. Learn how to keep your data as well as trading partner files protected within your network and still allow external access without opening inbound network ports. You can also see a demo of Linoma Software's GoAnywhere™, a managed file transfer solution that includes a secure FTP server and a reverse proxy DMZ gateway with clustering and load balancing capabilities to ensure high availability.


 

IBM i Encryption Made Easy with DB2 Field Procedures

Now Available On Demand

IBM i 7.1 DB2 Field Procedures, data encryptionDuring this recorded webinar, you can learn about how to make the DB2 Field Procedures Tool in IBM version 7.1 work even more efficiently as part of a more comprehensive solution, one that makes it easier to implement encryption, manage keys, and generate auditing reports so important for meeting compliance regulations like HIPAA and PCI DSS,. You can also see a demo of Linoma's popular encryption software Crypto Complete.

Learn more


All of our webinars are recorded, so if you register and are not able to attend live, you'll be able to review the webinar at a more convenient time.

We look forward to having you join us and will be happy to answer any questions you have.

 

 

Tokenization: A Powerful Weapon Against Cyber Attack

Tokenization in the data security world is the process of moving sensitive data from a company network to a separate location or sever, and replacing and referencing that data on the company server with a unique token.

If hackers attempt to access sensitive information like credit card numbers from a server, they'll instead encounter the token which prevents them from finding the original data without a specific encryption key or knowledge of the tokenization system.

Linoma Software GoAnywhere Managed File Transfer SolutionFor example, say a merchant acquires a credit card number by swiping a customer's card with a card reader. If the merchant has implemented tokenization, this card number information is immediately replaced in the merchant's database by a token number while the actual card number is sent and stored (in encrypted form) at a different location, along with the reference from the token.

Because the actual card number is never stored in the merchant's front-end system, hackers have a much more difficult time stealing it. Customers can therefore be assured that it is safe to let that merchant use their card information because the actual credit card numbers are not stored in an easily accessible location.

All organizations that capture credit card data are required by the PCI DSS government regulations to secure and protect this data. Originally, this presented a challenge to the payment industry until Shift4 Corporation presented tokenization solutions at an industry Security Summit in 1995. The adoption of tokenization became a popular solution to meet the PCI DSS compliance regulations.

>>Check out these white papers discussing PCI DSS compliance issues, and data breach threats

Other industries are beginning to adopt tokenization to protect confidential information such as banking transactions, medical records, criminal records, vehicle driver information, loan applications, stock trading and voter registration.

Finding the most efficient way to implement tokenization is challenging, but the growing threat of cyber attack and the expense of data breach have motivated IT shops to research options in earnest.

A variety of third-party software solutions, such as Linoma Software's Crypto Complete, deliver tokenization tools as well as additional options for managing encryption keys, audit logs, message alerts; storing tokenized data; automatically assigning token identifiers; and providing a central management platform for the entire tokenization process.

When a greedy hacker in anticipation of scoring a cache of customer credit card data finds instead a series of tokens, companies win another battle in the war against cyber thieves.

Compliance and Regulations for Sensitive Data Transfers

Secured ComputerHighly sensitive data is frequently exchanged between organizations. For instance, a business will routinely transmit financial information to their bank including payroll direct deposits and ACH payments. These transactions most likely contain sensitive elements like bank account numbers, routing numbers, social security numbers and payment information.

Industry-specific transactions may also contain highly sensitive data. For example, in the health care business, patient records are regularly exchanged between hospitals, doctors and payment providers. In the insurance business, policy information is often transmitted between carriers. This information may contain names, addresses, birth dates, social security numbers and other private information.

Loss of sensitive data can result in great financial expense, lawsuits and public embarrassment for the affected organization. Therefore it is no surprise that industries are setting new regulations and standards to address the security of their data. For instance:

  • PCI DSS requires that credit card numbers are encrypted while "at rest" and "in motion". Failure to do so can result in severe fines and potential loss of your merchant account.
  • HIPAA requires that healthcare records are secured to protect the privacy of patients.
  • State privacy laws require that customers are notified if their personal information may have been lost or stolen. Some states will also assess large fines against organizations if this data is not protected properly.

Organizations should consider compliance requirements and regulations when looking for a Managed File Transfer solution. An effective solution should have a number of encryption methods available to protect sensitive data including SSL, SSH, AES and Open PGP encryption. Audit trails should also be in place to track file transfer activity so you can easily determine what files are being sent, what time they are sent, who the sender and receiver is, and so on. If you are looking for a comprehensive solution be sure to check out our GoAnywhere Managed File Transfer Suite.

Related Blog: PCI DSS v2.0

PCI-DSS 2.0

According to a survey of 155 Qualified Security Assessors (QSAs) conducted by the Ponemon Institute, 60 percent of retailers lack the budgets to be fully compliant with the PCI DSS standards. As an example, the annual audit cost for a major retailer can be as high as $225,000.

According to the Ponemon Institute survey, restricting access to card data on a "need-to-know basis" (PCI DSS Requirement #7) is still the most important PCI DSS requirement, but also the most difficult to achieve.

QSAs reported that the three most common business reasons for storing cardholder data are:

  • Handling charge-backs
  • Providing customer service
  • Processing recurring subscriptions

In order to service these customer's requirements, the credit card data must still be available for the various software applications. These industry processes require merchants to implement methods of protecting cardholders from theft.

Encryption the Best Technology

QSAs find the most significant threats to cardholder data are in merchant networks and databases. They believe firewalls, encryption for data at rest, and encryption for data in motion are the top three most effective technologies for achieving compliance.

Sixty percent of QSAs believe encryption is the best means to protect card data end-to-end. Forty-one percent of QSAs say that controlling access to encryption keys is the most difficult management task their clients face.

Getting a Handle on PCI Issues

So what's the best way to both satisfy the requirements of PCI and still make secured data transparent to applications?

The strategy QSAs recommend is to lock down the cardholder data with technologies that:

  1. Restrict the access
  2. Encrypt the data
  3. Manage and control the encryption keys

These recommendations point to a need to make encryption and encryption-key access an integral part of the overall information system.

But too many organizations use ad hoc encryption/de-encryption utilities that slow processing, and often leave de-encrypted data in the open. In addition, without any integrated encryption key management process, there is really no security at all. Unsecured encryption keys, just like data, can be lost, stolen, and misused. Access to those keys should be managed as an integral part of the overall security of the operating system.

The point is that the QSA's three recommendations go beyond the basic requirements of the PCI standard to actually secure the credit card data at the host - and to ensure that the data isn't misused when the data is at rest or while being transferred.

Linoma Software's data encryption suite Crypto Complete successfully addresses these QSA PCI requirements by providing data encryption and key management services that can be integrated seamlessly with IBM i (iSeries) applications.

Building on PCI-DSS V2

Industry security analysts will still complain that PCI-DSS needs to be a real security standard aimed at protecting card holder data, but Version 2.0 doesn't provide that value. Consequently, we need to analyze what the QSAs are recommending, and then build on PCI-DSS Version 2.0 to implement the best possible data security for our customers' credit card data.

Massachusetts Has Set the Bar for Securing Personal Data; Is Your Company Compliant?

Personal data privacy is one of the greatest concerns individuals have when doing business over the web and in person. It seems it is commonplace for a company to notify their customers that their personal and/or account information has been compromised by a hacker or a disgruntled employee (e.g. TJ Maxx, Wells Fargo, Bank of America). While you'd think businesses would do everything they can to protect their customers' personal information, they will weigh the risks and likelihood of a data breach happening versus the cost and time to implement such security measures. Knowing this, the payment card industry (PCI), government agencies and many states have put together a list of requirements that businesses must follow in order to do business with them or in their state. The problem is they often don't enforce these regulations and fines are only imposed after a data breach happens.

I just returned from Framingham, Massachusetts where we exhibited at the Northeast User Group conference. Massachusetts has a very strict data privacy law. Not only do businesses in Massachusetts need to protect their customers' personal information but so do businesses who have in their database the personal identifiable information of people from Massachusetts. One of the requirements says organizations must:

"Encrypt all transmitted records and files containing personal information that will travel across public networks."

Several of our customers mentioned our products have helped them meet the Massachusetts' data privacy requirements. They have implemented field encryption using Crypto Complete and are using our GoAnywhere Director to encrypt file transfers. They have minimized the risk of a data breach happening at their company by using both solutions. Unfortunately, I also had many other individuals stop by Linoma's Booth who said their management does not want to allocate any resources (time or money) towards securing personal and confidential data. They know they should do it and are required to do so, but it's just not high on their priority list right now. I'm afraid this mindset may be more popular than we think, which is concerning.

Is the company you work for securing personal data? Is your company looking for a solution to secure data? Find out today how we can help your company avoid sending the inevitable letter that your confidential information has been breached. Not only can we help you avoid facing public humiliation, our products can help save you time and money by streamlining the secure data transfer process.

If you are interested in seeing how Linoma's solutions can encrypt your data at rest and when it's transferred, don't hesitate to contact us at 800-949-4696.

Brian Pick

Sales Manager