PCI DSS Compliance

 

Next Steps
Overview Auditing DPDPA CPRA DLP FERPA GDPR HIPAA PCI DSS DMaaS Static Dynamic Real-Time Test Data/TDM

Payment Card Security Challenges


Per every Experian industry forecast in the last five years, the number of data breaches will continue to rise. Ponemon Institute studies of data breaches reveal that the average cost to a US organization exceeds $200 for each compromised customer record.

With an average of 29,000 records compromised per incident, the cost of a data breach in this country can reach well over $5 million. In 2023 alone, the global average was $4.45M per breach, according the same Ponemon study IBM annually comissions. 

In addition to the significant financial harm that results from a data breach, there is an acute loss of trust between an organization and its customers. Both the breach and the fallout are usually well publicized and long remembered.

And although the most expensive data breaches are in the healthcare sector, protecting payment card information is still a major issue because credit card numbers and account holder PII is routinely subject to hacks, theft, fraud and other misuse.

 

According to this SecurityMetrics analysis of Payment Card Industry (PCI) Data Breaches, despite the fact that 12 documented PCI 2.0 Data Security Standard (DSS) requirements were largely in place, external (50%), internal (33%) breaches still continued. The trend is worsening as the definitions of the 3.x and 4.x standard widens to include more forms of PII.

 

PCI DSS Compliance Solutions


To help mitigate or even nullify the effects of data breaches, and help BFSI companies and other organizations managing credit card data comply with PCI DSS requirements, the data discovery and masking functions in IRI Data Protector Suite products -- or the IRI Voracity platform -- find and protect primary account number (PAN), and other credit card number values (plus other data at risk) in multiple data sources.

These IRI data masking tools support PCI DSS rules for data-centric security through credit card data encryption, SHA-2 cryptographic hashing, and/or tokenization functions.

For example in structured data sources like normal form relational database columns and fields in flat files, IRI FieldShield users apply their choice of data classification, search methods, and data-centric security functions to PANs and other sensitive data in an intuitive, efficient, and flexible manner under Eclipse. For example, specification of an encryption cipher with a pass-phrase occurs in a simple dialog:

IRI Workbench - FieldShield User Interface

Here, format-preserving encryption is used for PCI DSS compliance, and to ensure that no changes are required to the table or database structure. Keeping the original look and feel to the values can also sometimes deceive hackers into thinking they have actual PANs.

Sample  Transaction Record Table (PCI Compliant)

These easy, yet powerful static data masking functions can also help you limit the financial and operational impact of a data breach. For example, Steam, a gaming distribution platform, suffered a data breach. As significant as the breach was, the overall impact to Steam was limited because the credit card values were encrypted.

FieldShield and the other IRI data masking tools (DarkShield for multiple forms of semi- and unstructured data, and CellShield for Excel spreadsheets) -- which share data classification, scanning, and data masking rules -- provide simplicity, affordability, and peace-of-mind by finding and securing credit card data and other PII at rest.

These proven data masking tools help organizations like this one meet PCI DSS requirements for protecting stored cardholder data, while mitigating the risk of data loss and providing safe, intelligent test data targets. In other words, data masking solutions for PANs have become recognized payment card security best practices.

IRI DarkShield-redacted Credit Card image

It is also possible to encrypt/decrypt or redact PANs or PII in a dynamic data masking context, through an application that queries a database, for example. You can learn more about PCI DSS solutions in these top data masking tools through a live demo or free trial.

Frequently Asked Questions (FAQs)

1. What is PCI DSS and why is it important?
PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements for organizations that handle credit card information. It helps ensure that payment data like PANs (Primary Account Numbers) and other sensitive cardholder details are securely stored and processed to prevent breaches and fraud.
2. How does data masking help with PCI DSS compliance?
Data masking protects stored credit card information by making it unreadable to unauthorized users. Techniques like format-preserving encryption, tokenization, and hashing can reduce the impact of data breaches and support PCI DSS controls around protecting cardholder data at rest.
3. What types of data are covered under PCI DSS?
PCI DSS applies to cardholder data, including PAN, cardholder name, expiration date, and security code. Any system or file that stores or processes this information must comply with the standard.
4. How can IRI FieldShield help secure credit card data?
IRI FieldShield allows users to classify and locate PANs in structured sources like databases and flat files, then apply encryption, hashing, or tokenization. It supports format-preserving encryption to retain original data length and structure, simplifying compliance and avoiding schema changes.
5. What encryption standards are supported for PCI DSS in IRI tools?
IRI supports strong encryption methods such as AES, FIPS-compliant ciphers, and format-preserving encryption. These techniques align with PCI DSS encryption requirements and allow data masking while maintaining usability.
6. How does tokenization differ from encryption in PCI DSS?
Tokenization replaces sensitive data with a unique, non-sensitive token that has no mathematical relationship to the original value. Encryption, by contrast, uses a reversible cryptographic process. Both methods are acceptable under PCI DSS, and IRI tools offer both options.
7. Can masked or encrypted data still be used in applications?
Yes. When using format-preserving encryption or tokenization, the data structure remains the same, allowing applications and databases to function without modification. This ensures security without disrupting operations.
8. How do IRI tools support dynamic data masking for PCI data?
While IRI primarily offers static data masking solutions, some users integrate IRI tools with applications to dynamically mask or unmask PANs during runtime based on user roles. This allows fine-grained access control in environments that support it.
9. What are the benefits of using format-preserving encryption for card data?
Format-preserving encryption lets you encrypt cardholder data without changing the original format or length. This avoids schema changes in databases and keeps masked values compatible with downstream systems or applications.
10. Can IRI tools secure PANs in unstructured data?
Yes. IRI DarkShield can find and protect credit card numbers in documents like PDFs, Word files, emails, images, and other semi- or unstructured formats. This is useful for organizations managing PII outside of traditional databases.
11. How can IRI tools help limit the damage from a data breach?
If encrypted or masked PANs are stolen, they are unreadable without decryption keys, making them useless to attackers. This containment approach helped platforms like Steam avoid major fallout after a breach because card data had already been encrypted.
12. What are some real-world examples of PCI-related breaches?
Many retailers, banks, and gaming platforms have experienced payment card breaches. In cases where cardholder data was encrypted, the impact was significantly reduced—reinforcing the need for compliant masking and encryption.
13. How do IRI’s PCI DSS solutions differ from other tools?
IRI tools combine data discovery, classification, and masking in a single interface with affordable licensing. They support structured and unstructured data formats, offer multiple protection methods, and operate securely within your infrastructure—without uploading data to the cloud.
14. Can IRI tools help generate test data for PCI DSS environments?
Yes. IRI solutions can create masked or synthetic data that preserves referential integrity. This allows developers and QA teams to test systems using safe data that complies with PCI DSS, without exposing real cardholder information.
15. What’s the easiest way to get started with IRI’s PCI DSS masking tools?
You can explore a free trial or request a live demo to see how FieldShield, DarkShield, and CellShield protect cardholder data in your environment. IRI also offers implementation support through trained partners and solution engineers.
Share this page

Request More Information

Live Chat

* indicates a required field.
IRI does NOT share your information.