How Hitachi Solutions Ecommerce Ensures Payment Card Data Security
In an increasingly volatile online security landscape, it has become important that merchants ensure maximum security of cardholder data if they intend to expand their online businesses. Theft and misuse of cardholder data can have serious ramifications on the entire payment card ecosystem as customers begin to lose trust not only in individual merchants, but the online transaction system as a whole. Even as merchants and businesses lose credibility, data misuse can lead to serious financial liabilities for both the merchants and customers as well. With ecommerce businesses mushrooming rapidly, this is not a situation merchants or customers wish for.
The Payment Card Industry (PCI) Council therefore provides elaborate guidelines for merchants to secure their payment card applications. The PCI PA-DSS recently released its v3.2 guidelines that further improve upon their already stabilized security requirements, and attempt to make security an everyday priority. Broadly speaking, PCI guidelines lay out how cardholder data should be stored, used and displayed in a merchant’s payment application; authentication methods that should be used when accessing such data; secure coding practices; and data encryption. With each new version, the PCI Council attempts to strengthen these guidelines to help merchants stay abreast of technological advancements and ahead of data thieves.
At Hitachi Solutions Ecommerce, we consider cardholder data security our ethical responsibility, and the PCI guidelines an opportunity to build an even more robust payment application. As such, we follow secure coding practices, assess our application security regularly, and ensure that our security controls applied during PCI assessment do not fall out of compliance in between assessments.
Some important ways in which Hitachi Solutions Ecommerce complies with PCI PA-DSS security requirements:
- All passwords in the database are encrypted using application level AES 256 bit encryption format.
- All operational access passwords are encrypted using AES 256 bit encryption with SHA3 as algorithm for hashing passwords.
- All card data is secured during transmission via AES 256 bit TLS encryption on IIS web site.
- All pages that transmit sensitive data such as customer login details, credit card information, or sales order information, etc. are always transmitted over HTTPS protocol.
- Payment transaction logs are maintained as per guidelines, and these logs are stripped of any card data or security credentials before storage.
- Data encryption keys are generated based on a complex passphrase. Split knowledge and dual control of these encryption keys is achieved by mandating two key custodians who generate and schedule the data re-encryption process on a regular basis.
- Multi-factor authentication is used when providing access to card data and other payment application systems. (According to PCI guidelines multi-factor authentication requires authentication using two or more of the methods – something you know, such as a password or passphrase; something you have, such as a token or smart card; or something you are, such as a biometric.)
- Password policies as per PCI guidelines are defaulted (though configurable) and communicated with merchants.
- Only three Hitachi Solutions Ecommerce features store credit card data. This data is stored in encrypted format, accessible only to authorized persons using multi-factor authentication, and is duly deleted upon completion of business requirement.
Credit card number is displayed only partially
Credit card number is stored in encrypted format
- PCI impact is factored into every code developed, and secure coding methods and testing processes are followed.
- Merchants using Hitachi Solutions Ecommerce are informed and trained about PCI requirements on an ongoing basis.
Hitachi Solutions Ecommerce is currently certified for PA-DSS v2.0 and assessment for validation for v3.2 is underway.