iWay Service Manager Security Guide > Implementation for PCI Security Standards > Protect Cardholder Data

Protect Cardholder Data

Topics:

The following are recommendations and information for the Protect Cardholder Data requirements.

Requirement 3: Protect stored cardholder data

Recommendations and Information for Requirement 3.1 and 3.2

  • iWay Service Manager (iSM) is a transactional system and does not retain or store any data unless it is configured to do so for backup, load-balancing, and application purposes. The data is kept only in memory for the duration of the transaction process. The user is advised to utilize the security features available, such as various encryption, signing, and encoding functions to protect the data if they choose to persist it as part of the application logic.
  • Authentication token is discarded upon the use and user authentication/authorization routine. The data is rendered unusable automatically by the system and is not accessible to other processes.
  • Users are advised to utilize integration with external authentication and authorization systems such as AD/LDAP, where applicable, and such inherit protection of the sensitive security data provided by those systems.

Recommendations and Information for Requirement 3.4

  • Application developers are advised to use provided data masking and encryption services to protect sensitive data prior to storing it into any repository or persistent store. The application is responsible for securing data prior to its materialization.

Recommendations and Information for Requirement 3.5.3 and 3.5.4

  • For the externalized communication using applicable HTTP-based protocols, such as HTTP and AS2, the user is advised to utilize HSM-enabled facilities to provide an additional level of secure access.
  • Any security related files carrying sensitive key information, such as keystores, truststores, certstores, revocation lists, and others, should be maintained in a secure location with access granted only to the approved personnel.
  • The Application developer is advised to review and use the encryption facilities provided by the product to encrypt any sensitive data while in transit between the systems for further processing purposes, load-balancing, or others.

Recommendations and Information for Requirement 3.6

  • iWay applications are not storing any cryptographic key information. iWay applications access the cryptographic information based on the design and implementation only when needed and configured to do so.
  • The system administrator is advised to keep the least possible number of copies of the security keys, phrases, and other relevant security information. The application should be allowed access to this information in a centralized location to enable easy maintenance and key replacement/expiration when applicable.

Requirement 4: Encrypt transmission of cardholder data across open, public networks

Recommendations and Information for Requirement 4

  • Any distribution of content over public network should be done using Secure protocols, such as SFTP, HTTPS, AS2, and other relevant protocols, depending on the requirement.
  • iWay applications developed for data distribution over public network should utilize encryption functions available to the application for data security.
  • iWay applications developed for data distribution through emails, or other end-user messaging technologies, should utilize data protection strategies based on the company policies. iWay provides for an array of encryption and other security functions for data protection, as described in this manual.