Abstract: Amid the still-growing problem of data breaches, and new v3 requirements of the Payment Card Industry Data Security Standard (PCI DSS) in effect, it has never been more important to protect sensitive data properly. This article examines the role of IRI FieldShield software in PCI DSS compliance and data breach mitigation through field-level application of AES-256 bit encryption and other functions.
According to an Experian industry forecast, the number of data breaches will continue to rise in 2014. The average cost to a US organization is $201 for each compromised customer record (IBM 2014 Cost of Data Breach Study). With an average of 29,000 records compromised per incident, the cost of a data breach can reach well over $5 million. In addition to the significant financial obligations which result from a security breach, there is an acute loss of trust between an organization and its customers. Fallout from the Target breach comes to mind.
It is for this reason that a comprehensive data security strategy must be in place. IRI understands this necessity and provides products that will harden an organization’s security posture. IRI FieldShield technology does this by rendering sensitive information unreadable through its strong encryption, SHA-2 cryptographic hashing, and tokenization support.
Pictured above (Figure 1) is an example of a transaction record table. It contains plain-text credit card primary account numbers (PANs). According to the PCI Security Standards Council, PANs should be rendered unreadable. FieldShield supports this goal in multiple ways, including data masking and redaction, as well as encryption.
FieldShield GUI users apply their choice of protection functions to PAN and other columns in an intuitive, efficient, and flexible manner under Eclipse. Specification of an encryption cipher with a passphrase would occur in a dialog that looks like this:
In this example, a format-preserving encryption technique is used to ensure no additional changes are required to the table or database structure, while PCI Compliance is still achieved. Read more about this type of encryption here. The result is encrypted credit card PANs (Figure 3).
This simple yet powerful process is important because an organization can limit the financial and operational impact of a data breach. For example, in 2011 Steam, a gaming distribution platform, suffered a data breach. As significant as the breach was, the overall impact to the Steam was limited because the credit cards were encrypted. See this article on breach nullification for related perspective.
FieldShield provides ease-of-use and peace of mind in securing sensitive data. It helps organizations meet the PCI DSS v3 requirements for protecting stored cardholder data while mitigating the risk of data loss.