Let's look at the second of 14 requirements listed in version 3.1 of the Payment Card Industry's Payment Application Data Security Standard. This point necessitates multiple steps for safeguarding information once it's inside a user system, and involves the use of encryption keys as well as key storage and security. The several subpoints listed from the source pertain to obsolete keys as well, which need to be taken out of commission for total security.
Of high concern is the Primary Account Number, which needs to be "rendered unreadable" wherever it's stored to reduce the chance that it will be obtained and misused. Simply hashing and truncating these numbers may not be enough, the requirements state, since attackers could potentially use them to recreate the desired data.
The encryption algorithms used have to be up to industry standards, and keys can disseminated using dual control, which passes responsibility among at least two people to limit the hazards of entrusting important information to one person.
"The payment application should define methods for users of the application to ensure only authorized key substitutions can be made," the guidance document states. "The application configuration should include not allowing for or accepting substitution of keys coming from unauthorized sources or unexpected processes."
It's important to understand the role that the PADSS plays as companies develop secure payment applications. In a 2013 piece for Security Intelligence, Diana Kelley of IBM Security says that these standards can help companies evaluate apps if they use it as a guide. She also notes that vendors have to comply with this set of standards to be valid.
For more on PADSS audits and related payment processor best practices, be sure to visit this blog. You can also read our previous post on the first requirement, about retaining data, here.