| PCI Requirement |
Detail |
Voltage Solutions |
| Requirement 3 |
Protect Stored Data |
|
3.3 |
Mask account numbers when displayed (the first six and last four digits are the maximum number of digits to be displayed).
Note that this does not apply to those employees and other parties with a specific need to see full credit card numbers.
|
With the Voltage Data Protection System, information can be easily masked through encryption to all except those who have a specific need to know credit card numbers. Voltage Security's unique ability to provide on-demand encryption to groups delivers the most efficient means of controlling access to sensitive information in storage, transit and access. |
3.4 |
Render sensitive cardholder data unreadable anywhere it is stored (including data on portable media, backup media, in logs and data received from or stored by wireless networks) by using any of the following approaches:
>> One-way hashes (hashed indexes), such as SHA-1
>> Truncation
>> Index tokens and PADs, with the PADs being securely stored
>> Strong cryptography, such as Triple-DES 128-bit or AES 256-bit with associated key management processes and procedures.
The MINIMUM account information that needs to be rendered unreadable is the payment card account number.
|
The Voltage Data Protection System includes multiple cryptography options, including Triple-DES, AES, IBE, Format-Preserving Encryption, and SHA, backed by robust, yet easy to administer key management. |
| 3.5 |
Protect encryption keys against both disclosure and misuse. |
Voltage Security protects encryption keys through encrypted transit and storage, as well as the ability to institute a "no storage" policy for private keys, as they can easily and securely be re-generated based on a need to use.
With Voltage Key Management, access to keys can be restricted to a single custodian. Unlike other key management structures where multiple custodians are required for manual key generation and extensive management of certificate revocation lists, the Voltage System uses existing authentication mechanisms and performs on-demand key generation. The result is completely automated, auditable and policy-based key management. |
| 3.5.1 |
Restrict access to keys to the fewest number of custodians necessary. |
| 3.5.2 |
Store keys securely in the fewest possible locations and forms. |
Voltage Key Management enables a "stateless" policy for keys. Keys are automatically generated instead of being maintained on the centralized server. In addition, keys can also be cached locally based on policy. |
| 3.6 |
Fully document and implement all key management processes and procedures, including: |
| 3.6.1 |
Generation of strong keys |
Voltage Key Generation techniques are fully documented and tested.
Voltage distributes keys over secure sockets layer (SSL) only after a user or application has authenticated using the corporate defined process for strong authentication. |
| 3.6.2 |
Secure key distribution |
| 3.6.3 |
Secure key storage |
Voltage does not store private keys on the central key server. Private keys can be cached and encrypted locally, or re-generated during each use, leveraging existing strong authentication methods.
Voltage key management provides automatic key changes without the overhead of certificate revocation lists (CRLs). This automation delivers the lowest management and user overhead of any key management system. |
| 3.6.4 |
Periodic key changes |
| 3.6.5 |
Destruction of old keys |
The Voltage Key Management Server enables centralized destruction of old keys. |
| 3.6.6 |
Split knowledge and dual control of keys(so that it requires two or three people, each knowing only their part of the key to reconstruct the key) |
The Voltage Key Management Server delivers the ability to split control over root key operations. |
| 3.6.7 |
Prevention of unauthorized substitution of keys |
Every action in the Voltage system, including key substitution, is automatically logged to provide separation of duties. |
| 3.6.8 |
Replacement of known or suspected compromised keys |
Replacement of compromised keys can easily be performed on demand, without the difficulty of CRLs. |
| 3.6.9 |
Revocation of old or invalid keys (mainly for RSA keys) |
Voltage solutions do not require key revocation as keys are automatically regenerated (e.g. weekly) based on the organizational policy. |
