• January 28, 2022

Payment Card Security Is Key During the Holiday Shopping Season

The holiday season is officially here, and for many that means more spending, whether it’s on gifts, food or special events. This increased volume of transactions also makes it the peak time of year for credit card fraud, according to FICO’s VP of fraud and financial crimes. To combat this, payment processors need to take even greater care during the holidays to guard their business and protect their customers’ personal information.

This means understanding and complying with PCI-DSS (Payment Card Industry Data Security Standard) to avoid costly breaches and violations. These security standards for electronic payment processing apply to all entities that store, process or transmit cardholder data. PCI-DSS requires a range of specific technical security standards over all systems involved in data storage and transmission. At Rocket, we want to help businesses head into the holiday season with the reassurance that their payment processing is secure and compliant, so they have one less thing on their busy plates. The Rocket® MultiValue® Application Platform (Rocket MV), which includes Rocket® UniData® and Rocket UniVerse, enables robust technical security controls to help businesses implement many PCI-DSS requirements in their database environments.

Protect Data at Rest and in Transit

PCI-DSS specifies several requirements for how businesses must protect data both in transit (when multiple systems or users need to communicate) and at rest (when data is being stored). Doing both helps ensure that unauthorized users can’t find weaknesses in payment processing procedures. If a business focuses solely on protecting the transfer of data but neglects to protect the past customer information they have stored, they could be vulnerable to breaches.

Businesses must ensure Primary Account Numbers (PAN) are unreadable anywhere they are stored (including on portable digital media, backup media and in logs) by using strong cryptography, truncation or index tokens and pads. Rocket MV’s OpenSSL-based Automatic Data Encryption protects data at rest with encryption keys that make database files unintelligible to unauthorized parties. Key management policies can be defined and enforced for individual encryption keys so that only the appropriate users are granted access.

During transmission over networks, PCI-DSS requires cardholder data (CHD) to be safeguarded with cryptography and security protocols including: only accepting trusted keys and certificates, using protocols that only support secure versions or configurations, and appropriate encryption strength for the encryption methodology in use. These requirements are also met with Rocket MV’s OpenSSL-based secure data-in-transit solutions, which include secure BASIC CallHTTP and sockets, and secure client-server and web connections, which ensures parties are talking to their intended recipients without data being accessed during transmission. Rocket MV supports the Transport Layer Security (TLS) encryption protocol for data transfers so that any data intercepted in transit will be unintelligible to unauthorized parties.

Automatically Maintain Secure Audit Trails

Robust, secure audit trails are crucial to complying with PCI-DSS and keeping customer’s payment information safe. If a breach were to occur, audit trails allow businesses to understand the depth and breadth of what was accessed, and trace how the event occurred. Audit trails must be automated to ensure no information is overlooked or incorrectly documented. The following events all need to be documented:

  • Every individual access to cardholder data
  • All actions taken by any individual with root or administrative privileges
  • Access to all audit trails
  • Use of identification and authentication mechanisms — including creation of new accounts and elevation of privileges — and all changes, additions or deletions to accounts with root or administrative privileges
  • Initialization, termination or pausing of the audit logs
  • Creation and deletion of system-level objects

If MV Audit Logging is installed and set up, audit logs provide a secure record of any access to cardholder data, whether authorized or unauthorized, as well as relevant details for each of the types of events listed here. MV also stores audit logs securely so they can’t be altered to mask fraudulent activity. Audit logging configuration is stored in an encrypted file that can be password-protected and is only modifiable by authorized users. The log files can be put on a different machine than the one on which Rocket MV server is running for added protection.

Don’t Let the Holidays get Hacked

Regardless of how your business interacts with payment information, the holidays likely bring an increase in transactions and in turn, greater opportunities for data breaches and attempts at fraud from bad actors. The PCI Security Standards Council has implemented these regulations to protect businesses and their customers from the disruptions that can occur from having your information inappropriately accessed. PCI-DSS compliance can be accomplished through a combination of technical and procedural controls over your entire CHD environment. With Rocket’s MV solutions, and our expert team as a trusted partner, businesses can effectively implement security procedures from encryption methods to access rights management to vulnerability testing.

To learn more, download a trial and talk to an expert, click here.

Kathy Larson 5 Posts

Hi, I'm the Product Marketing Manager for Rocket MultiValue. I returned to MultiValue in 2014. You see, I started my career right out of grad school with Unidata in downtown Denver. Back then I worked with our hardware partners including DEC, Data General, Sequent, HP and many others! Later I moved to MarComm and Product Marketing. I love being back in MV and in my free time enjoy spending time with my family skiing, hiking and enjoying Colorado.

1 Comments

  • Sergey Reply

    December 9, 2021 at 1:39 pm

    Basically now is very easy to create SSL certificate for any website. It may be fishing website. So now, if website has SSL encoding, there is not warranty for safely purchasing!

Leave a Comment

Your email address will not be published. Required fields are marked *