Retail PCI Compliance Software Solution: Frequently Asked Questions About PCI CISP Regulatory Compliance Red Iron
   
   
 
pci compliance

Regulatory Compliance

Will 2Encrypt provide total PCI compliance?

No. 2Encrypt software covers all PCI sections dealing with the protection of cardholder data and the use of key management. It does not provide a solution to aspects of the PCI Data Security Standard dealing with procedural and policy approaches to security for example.  As well, it does not cover off the areas of software security dealing with card number masking and logging. We recommend a security audit to identify procedural and other points of exposure. Get an overview of the PCI Compliance Data Security Standards.

Does 2Encrypt help with the masking requirements of PCI?

PCI requirement 2.1 specifies that account numbers must be masked when displayed. Common examples in retail include display of the information on a screen or when printed on a receipt. Masking sensitive data is the responsibility of the underlying POS application.

That said, 2Encrypt will handle the encryption requirements of the PCI specification. It can be effective, for example, in the case of log files. If card numbers are written to log files, those log files can be targeted for encryption, eliminating the need to mask the credit information. That means the only true masking requirement not covered by 2Encrypt would be for printed and displayed card information which is handled by the targeted applications.

Does 2Encrypt help with PCI  password requirements?

No. The 2Encrypt application handles the encryption requirements of the PCI specification.

Can I be PCI compliant if I only store data unencrypted for a short time?

No, there is no period of time that it is acceptable to store data unencrypted.

Can I send data to my corporate office unencrypted?

If you are using a private network (frame relay, VPN tunnel or direct dial), then the data may be sent unencrypted. You need to ensure that the data is not staged (stored) for this transmission in an unencrypted form, but the actual transmission can be done in clear text if the network itself is secure.

Can 2Encrypt also help me with Sarbanes-Oxley (SOX) compliance?

With 2Encrypt, sensitive data is encrypted anywhere it is stored. This assures company directors that the data used to derive the company’s financial details have not been modified by any manual processes. The files and database objects cannot be manually edited by anyone in the company.

Can 2Encrypt also help me with government regulations on privacy?

Yes. There is nothing special about cardholder data in 2Encrypt. 2Encrypt will encrypt and decrypt whatever resources have been targeted. So if you want to encrypt customer data, simply add the resources that house the customer data to the 2Encrypt configuration.

Does Red Iron provide security audits?

No. We believe security auditors should be concerned only with identifying risk exposure and providing reliable verification that each of those exposures have been dealt with effectively. It is our opinion, then, that auditors should be neutral and not associated with a particular product or service. Click here for links to independent security audit provider

2Encrypt provides an application-based approach to encryption using industry standard algorithms that ensure only authorized applications are able to read encrypted data.

  

Next Steps
 
PCI Compliance Case Study

Case Study
White Paper: Becoming PCI Compliant

White Paper
Request a Contact about PCI Compliance

Request a Contact
CISP News and Updates

News and Updates