Payment Card Industry
Data Security Standard (PCI DSS)
Auditing and Compliance

Thales eSecurity can help simplify PCI DSS compliance efforts by protecting any business that transmits, processes and stores cardholder data

Global Map

Mandate

Active now

PCI DSS Requirements

Any organization that plays a role in processing credit and debit card payments must comply with the strict PCI DSS compliance requirements for the processing, storage and transmission of account data.

Thales eSecurity can help organizations working with cardholder data comply with several Aspects of PCI DSS compliance and auditing, including:

  • Protect cardholder data at rest
  • Encrypt cardholder data in motion
  • Restrict access to cardholder data
  • Identify and authenticate access to systems storing cardholder data
  • Track and monitor all access to cardholder data
PCI DSS compliance requirements

Download our PCI Compliance & Data Protection for Dummies book.

Check out our Top 10 keys to PCI DSS success.

Check out our Top 10 actions to avoid common PCI DSS pitfalls.

Over 200 Tests against Six Core Principles

The PCI DSS standard (www.pcisecuritystandards.org) involves assessment against over 200 tests that fall into 12 general security areas representing six core principles. These PCI DSS tests span a wide variety of common security practices along with technologies such as encryption, key management, and other data protection techniques.

Risks Associated with PCI DSS Auditing and Compliance
  • Failure to comply with PCI DSS compliance requirements can result in fines, increased fees, or even the termination of your ability to process payment card transactions.
  • Complying with the PCI DSS cannot be considered in isolation; organizations are subject to multiple security mandates and data breach disclosure laws or regulations. On the other hand, PCI compliance projects can easily be side-tracked by broader enterprise security initiatives.
  • Guidance and recommendations linked to PCI DSS requirements include common practices that are likely to be already in place. However some aspects, specifically those associated with encryption, might be new to the organization and implementations can be disruptive, negatively impacting operational efficiency if not designed correctly.
  • It is all too easy to end up with a fragmented approach to security based on multiple proprietary vendor solutions and inadequate technologies that are expensive and complex to operate.
  • Opportunities exist to reduce the scope of PCI DSS compliance obligations and therefore reduce cost and impact; however, organizations can waste time and money if they do not exercise care to ensure that new systems and processes will in fact be accepted as PCI DSS compliant.
An Integrated Compliance Solution

Drawing on decades of experience helping banks and financial institutions comply with industry mandates, Thales eSecurity offers integrated products and services that enable you to protect stored cardholder data, encrypt it for transfer, and restrict access on a need to know basis. In addition, Thales works closely with partners to offer comprehensive solutions that can reduce the scope of your PCI DSS compliance burden.

Addressing the Core Principles of PCI DSS

Thales eSecurity offers comprehensive PCI DSS compliance software solutions that help organizations address the six core principles of PCI DSS:

  • Protect cardholder data at rest: Thales Vormetric Data Security Manager and Luna Hardware Security Module(HSM) enables organizations to centrally manage encryption keys and deliver a variety of encryption, tokenization and data masking solutions to protect cardholder data in files, folders, applications and databases in both traditional and cloud or virtualized environments.
  • Encrypt cardholder data in motion: Thales High Speed Encryptors (HSE) encrypt all data that traverses across open networks between point of sale devices and systems that process cardholder data.
  • Develop and maintain secure system and applications: Thales Luna HSMs enable organizations to securely store signing material in a trusted hardware device, thus ensuring the authenticity and integrity of any application code files
  • Implement strong access control measures: Thales products can be setup for unique, multifactor administrative access to systems that store cardholder data. In addition, SafeNet Trusted Access enables you to centrally manage unique user identities, risk-based authentication policies, and add/revoke access to systems in your Cardholder Data Environment (CDE).
  • Track and monitor all access to cardholder data: All products in the Thales data protection portfolio produce audit records that log any encryption key lifecycle operations (creation/deletion/rotation/revocation) and other administrative functions that can be used to reconstruct events.

eBooks : PCI Compliance & Data Protection for Dummies

If your business relies on card payments and faces the challenge of maintaining ongoing compliance with PCI DSS, this book is for you. It explains the requirements for protecting account data, controlling access to the data and the associated monitoring and logging activities that you need to adopt. Ultimately the book acts as a valuable and practical reference guide that you can come back to time and again to assist with your ongoing compliance and help you avoid the common pitfalls that can lead to serious data breaches or failed audits.

Download

Research and Whitepapers : Vormetric Data Security: Complying with PCI DSS 3.0 Encryption Rules

This white paper outlines how to use Vormetric Transparent Encryption to meet PCI DSS 3.0 Requirements with Data-at-Rest Encryption, Access Control and Data Access Audit Logs in traditional server, virtual, cloud and big data environments....

Download

Research and Whitepapers : Fortrex: Evaluation of the Vormetric Token Server

Fortrex Qualified Security Assessor (QSA) evaluated the Vormetric Token Server, and determined when properly implemented and configured within a secured cardholder environment, it can reduce the scope of the systems included in the scope of a PCI DSS assessment. They also qualified that the solution can be leveraged to tokenize other sensitive data within a corporate environment. Fortrex detailed their evaluation process in their white paper, Evaluation of the Vormetric Token Server.

Download

Other key data protection and security regulations

GDPR

GDPR Thumbnail

Regulation

Active Now

Perhaps the most comprehensive data privacy standard to date, GDPR affects any organisation that processes the personal data of EU citizens - regardless of where the organisation is headquartered.

Learn More

PCI DSS

GDPR Thumbnail

Mandate

Active Now

Any organisation that plays a role in processing credit and debit card payments must comply with the strict PCI DSS compliance requirements for the processing, storage and transmission of account data.

Learn More

Data Breach Notification Laws

eIDAS

Regulation

Active now

Data breach notification requirements following loss of personal information have been enacted by nations around the globe. They vary by jurisdiction but almost universally include a “safe harbour” clause.

Learn More
Contact a Compliance Specialist Contact Us
Are you fit for GDPR Take our readiness assessment now
Read the Compliance and Regulations Solutions Handbook Read the eBook
Visionner notre démo interactive Explorer
Programmer une démo en direct Programmer
Entrer en contact avec un spécialiste Nous contacter