Promotions, discounts, free shipping, and festive catalogs are great for business and enticing to holiday shoppers. But one of the best gifts retailers can give customers is the assurance that their debit and credit card information is protected when they get online to purchase the perfect cashmere scarf for Aunt Helen or the snazzy monogrammed golf bag for Uncle Joe.

Passing the Payment Card Industry Data Security Standard (PCI DDS) compliance audit is the first step merchants can take toward ensuring the safe handling of sensitive card and payment information during the holiday season. But you shouldn’t be lulled into complacency if you simply pass the audit; being compliant doesn’t mean that infractions can’t and won’t occur. If anything, you want to strive to not just meet but, in fact, exceed PCI requirements.

There are three PCI requirement categories that deserve extra attention at this busy time of year—protecting stored data, protecting data in transit, and developing secure systems and applications.

PCI Category 3: Protect stored cardholder data
This category is under the highest level of scrutiny because it focuses on the core of the concern—safeguarding cardholder data. The whole point of this requirement is to minimize the need for storage of cardholder data and, if necessary, enforce encryption to prevent theft or misuse.

In the flow of a credit card transaction, there are a variety of ways that cardholder data is held in storage: on the magnetic stripe on the actual credit card, on point-of-sale (POS) systems, at payment gateways, and in cardholder databases. The diagram below shows the complex ecosystem of different storage platforms.

The Requirement
Render primary account number (PAN), at a? minimum, unreadable anywhere it is stored (including data on portable digital media, backup media, in logs, and data received from or stored by wireless networks) by using any of the following approaches:

• Strong one-way hash functions (hashed indexes)
• Truncation
• Index tokens and pads (pads must be securely stored)
• Strong cryptography with associated key management processes and procedures

McAfee Solutions
The biggest challenge with most encryption technologies is the complexity of setup and ongoing maintenance. McAfee has several solutions available that will help you get the beyond that. The McAfee E-Business Server product line is a “set-it-and-forget-it” solution that provides multi-platform support, third-party integration APIs, and stability. One of our large banking customers, for example, can support more 200 business partners with encrypted data storage and exchange, all using this single solution.

And with the recent acquisition of SafeBoot, we have furthered bolstered our capabilities with scalable, enterprise-class data security solutions that have strong access control and powerful encryption to prevent unauthorized access to or use of PCs, laptops, and tablet PCs, as well as data on hard disk storage devices.

As for preventing infractions, McAfee recommends a layered approach to security that goes far beyond the minimum PCI requirements. Asset discovery and risk assessment is a key component of determining where PCI data is stored on the network. McAfee Foundstone Enterprise provides a PCI template that can look for PAN data and provide a risk report which highlights these systems. Encryption efforts can then be targeted on these systems identified by Foundstone. To enforce encryption, E-Business Server leverages the widely used Open PGP standard for storage encryption, and, of course, SafeBoot technology can be added to the mix.

PCI Category 4: Encrypt transmission of cardholder data across open, public networks
Transactions involving PCI data almost always involve data transmission among systems owned and operated by different business entities. Cardholder data can move from numerous types of systems—from POS terminals to application servers to user desktops. The following diagram highlights how cardholder data is transmitted and the various points at which it needs to be protected or encrypted.

The Requirement

• Use strong cryptography and security protocols, such as secure socket layer (SSL) / transport layer security (TLS) and Internet protocol security (IPSEC) to sensitive cardholder data during transmission over open, public networks.
• For wireless networks transmitting cardholder data, encrypt the transmissions by using WiFi-protected access (WPA or WPA2) technology, IPSEC VPN, or SSL/TLS. Never rely exclusively on wired equivalent privacy (WEP) to protect confidentiality and access to wireless LAN.
• Never send unencrypted PANs by email.

McAfee Solutions
For high-risk users (e.g., cashiers who process transactions on POS terminals or customer service representatives who access customer data from desktops or laptops), the McAfee E-Business Server client component meets the requirement of encrypting data during transmission. If users forget to encrypt sensitive data before transmitting it, the McAfee Data Loss Prevention Host solution can assess the PAN data and enforce encryption by either blocking the transmission or routing it to a third-party encryption server.

For more detailed information about the systems that are transmitting sensitive data, you can leverage the centralized management console, McAfee ePolicy Orchestrator®. It keeps a database of system security details, which are critical for presenting a thorough compliance report at audit time.

Category 6: Develop and maintain secure systems and applications
All systems in the path of cardholder data need to be assessed regularly for their patch status, so that updates can be applied. But sometimes a retailer may deliberately allow unpatched point-of-sale systems to be operational during the holiday season from November through January, which is when the majority of all annual sales take place.

The Requirement

• Ensure that all system components and software have the latest vendor-supplied security patches installed. Install relevant security patches within one month of release.
• Establish a process to identify newly discovered security vulnerabilities (for example, subscribe to alert services freely available on the Internet). Update standards to address new vulnerability issues.

McAfee Solutions
Both McAfee Foundstone Enterprise and McAfee Policy Auditor assess patches: the former at a network level and the latter at a system level. Once vulnerabilities and patch status are determined, McAfee Remediation Manager can be leveraged to apply patches to managed systems, including Windows, Linux, Solaris, and other UNIX platforms.

Foundstone and Policy Auditor solutions would still find the vulnerable POS systems, but since retailers cannot risk POS system downtime, they would not want to remediate these systems for several months potentially. That’s where McAfee IntruShield® IPS comes in. By monitoring and preventing malicious intrusions at the network level—from the gateway to the core—retailers can operate securely during peak holiday traffic and continue to honor the spirit of PCI DSS, which is to protect cardholder data.

Conclusion
While passing a PCI audit is vitally important to all online merchants, it’s equally important to make sure that cardholder data is secure regardless of whether it’s at rest or traveling through the various steps of a typical transaction—especially during the highly profitable holiday shopping frenzy. Online retail sales in the United States this holiday season are expected to reach $33 billion, and you certainly don’t want to miss out on a piece of the action because of a data breach or PCI infraction.

The best thing you can do for your business and your customers this year is make sure their credit and debit card information is fully protected. And the best way to accomplish that is to not only to meet PCI requirements, but also prevent possible infractions and follow data protection best practices that are sustainable and robust.