Vendor Spotlight 8-4-14

The #1 Digital News Source for Retail Loss Prevention,
IT Security & Safety Executives throughout North America

The D&D Daily e-Newsletter for the LP & Safety Industry

PCI and Exception-Based Reporting

While all retailers are now familiar with the Payment Card Industry (PCI) Data Security Standards (DSS), some are still working on how best to protect cardholder data within their exception based reporting (EBR) application. Ultimately, the answer on how this data will be protected may depend on company-wide decisions or chosen protection methods. However, how your company chooses to protect the data may affect your ability to also effectively utilize reporting to detect exceptions.

The most common methods of cardholder data protection currently in use are: Masking, Encrypting, and Hashing. Each of these techniques has its benefits and limitations as they relate to their ability to provide adequate reporting within an EBR application.

Masking
Masking is the method most consumers are familiar with since many retailers, restaurants, etc., began "masking" credit card numbers on receipts, even before PCI-DSS was a requirement. Masking involves "hiding" certain numbers within the credit/debit card number. Businesses that mask credit/debit card numbers can show up to the first 6 digits and the last 4 digits of the number, with all digits in between "masked" (usually shown as "X" on a receipt).

While this method is the easiest to implement, and can provide valuable information for the merchant, it has also been found to be the least "safe" method for protecting cardholder data. Since the majority of credit/debit card numbers most commonly used in the United States consist of 14-16 digits, a hacker need only to identify 4-6 digits in order to obtain a complete, valid credit/debit card number. Research suggests this can be accomplished in a matter of a few hours.

Read more here.