|
The Payment Card Industry (PCI)
Data Security Standard (DSS) provides
specifications for data security and facilitates
the broad adoption of consistent data security
measures globally. For the data entry industry,
this means encrypted fields. Unibase by DMAC,
Release 8.5, now in beta testing, meets these
standards for encrypted fields in the data entry
environment.
The Payment Card Industry (PCI)
Data Security Standard was released in October,
2008. DMAC and one of its major and valued clients
immediately jumped on what this means for the data
entry industry.
Let Us Look At the Pan As An
Example
For example, on page 22 of the
October, 2008 standard item 3.3 requires that the
Primary Account Number (PAN) be masked when it is
displayed. The standard allows the first six and
last four digits to be the maximum number of digits
to be displayed. This particular requirement does
not apply to employees and other parties with a
legitimate business need to see the full
PAN.
Inside the data entry, verify,
update, correct, and resume modes of Unibase the
PAN is displayed in full just like a regular field
is displayed in Unibase. The data entry people
using these modes have a legitimate business need
to see the full PAN. On the disk and in the examine
mode the field data appears
encrypted.
In Unibase by DMAC, Release 8.5,
any field can be set as an encrypted field with the
Encrypt checkbox. To output the field from the
Unibase environment in a field edit, file edit, or
output program an output mask (either PR or PI) can
be used.(The output mask is just like the output
mask truncate spaces - TS).
An encrypted field has a minimum
length of 12 characters and a maximum length of 99
characters. The field length of an encrypted field
is two characters longer than the data
to be keyed. This is for the RSA
encryption process which is set to 128 bit
encryption. Unibase by DMAC ,Release 8.5, allows for
a general field encryption algorithm so DMAC
client can use it for other data to be encrypted --
not just the PAN.
The PR stands for PAN Redacted.
Redacted is a fancy word meaning
obfuscated. The PAN mask ratio of the first
three eighths and final one quarter apply
to the encrypted output mask PR and is adjusted for
the length of the Unibase field. The PI output mask
only outputs the last one quarter
unencrypted. Every other character of the field is
output from the Unibase environment as an asterisk (*) in the
beta version.
PAN Unredacted (PU) output mask is
used to output the entire decrypted field. If this
were not available, there would be no way to
transfer the data entry data to other environments.
But the Unibase by DMAC client will have to ensure
that this transfer process meets all PCI
requirements.
Render PAN Unreadable Anywhere It
Is Stored
On page 23 of the October, 2008
standard item 3.4 states: Render PAN, at minimum,
unreadable anywhere it is stored (including on
portable digital media, backup media, in logs) by
using any of the following
approaches:
- One-way hashes based on strong
cryptography.
- Truncation.
- Index tokens and pads (pads must be
securely stored).
- Strong cryptography with associated
key-management processes and
procedures.
Unibase uses strong cryptography
with associated key- management process and
procedures. When field data is stored from computer
RAM memory, it is encrypted. A user may
seed an RSA encryption environment where the seed
can be changed by client, batch, or whenever the
DMAC client wishes in a "when start" portion of the
field, file, or output edit.
The seed is a string of up to 256
characters provided by the DMAC client.There
is also a default seed. The DMAC client can provide
additional key management processes and procedures
as the client wishes. DMAC changed its
open text file verb to allow access anywhere on a
network so that DMAC's client could store these
seeds on secure servers.. See the article elsewhere in this
newsletter.
With the addition of encrypted
fields to Unibase by DMAC, Release 8.5, DMAC's
clients can meet the security challenges of the
future.#
|
