For organizations that handle payment card data, adhering to the Payment Card Industry Data Security Standard (PCI DSS) is essential to reduce the risk of credit card fraud and data breaches. PCI DSS v3.2 sets stringent guidelines for protecting stored cardholder data and ensuring that only authorized personnel can access it. Nexsan’s Assureon provides an ideal solution, offering robust encryption, secure data retention policies, and protection against unauthorized access and deletion, helping businesses stay compliant with PCI DSS.
What is PCI DSS v3.2?
PCI DSS v3.2 is a globally recognized set of security standards designed to protect cardholder data. It applies to any company that stores, processes, or transmits credit card information. The key components of PCI DSS include:
- Protecting stored cardholder data
- Encrypting data transmission over public networks
- Implementing strong access control measures
- Regularly monitoring and testing networks
For storage administrators and IT architects, ensuring compliance with PCI DSS v3.2 can be challenging. The solution must be able to store data securely, manage encryption keys, and enforce consistent data retention policies. This is where Assureon steps in as a secure and efficient storage solution. You can learn more about Nexsan’s approach to secure data storage.
How Assureon Supports PCI DSS v3.2 Compliance
1. Encryption of Stored Cardholder Data
One of the core requirements of PCI DSS is that cardholder data must be encrypted both at rest and in transit. Assureon ensures all data is protected using AES-256 encryption, one of the most secure encryption standards available. Each file stored in Assureon has its own AES-256 encryption key, ensuring maximum security even if a specific key is compromised.
Additionally, Assureon uses RSA-2048 encryption to protect the encryption keys themselves, further ensuring that stored data is secure. This layered encryption model guarantees compliance with PCI DSS requirements for stored data security. You can find more details on how Assureon’s encryption capabilities work on their product page.
2. Automated Data Retention and Deletion Policies
PCI DSS v3.2 requires organizations to limit the retention of cardholder data to only what is necessary for business or legal reasons. Assureon allows businesses to set automated retention policies, ensuring that data is stored only for the necessary time frame. Once the retention period expires, Assureon automatically deletes the data and destroys all associated encryption keys, making the data completely inaccessible.
Additionally, Assureon provides administrators with the ability to securely delete data on demand, which is crucial for complying with PCI DSS’s requirements to remove unnecessary cardholder data promptly. These retention and deletion policies are automated to help ensure businesses maintain compliance without manual intervention.
3. Role-Based Access and Audit Trails
PCI DSS requires stringent controls over who can access cardholder data. Assureon supports role-based access control (RBAC) by integrating with Active Directory or custom credential systems. This means that only authorized users can access encrypted data, helping organizations comply with PCI DSS’s access control requirements.
Moreover, Assureon generates detailed audit logs for every file access or modification. These logs provide visibility into who accessed specific data, what changes were made, and when the actions occurred, allowing organizations to meet the reporting and monitoring standards set by PCI DSS. You can explore more about how Assureon supports audit and compliance.
4. Secure Data Transmission
PCI DSS mandates that data transmitted over public networks be encrypted. Assureon uses TLS 1.2 for secure communication between clients and servers, ensuring that cardholder data is encrypted while being transferred. This protects sensitive information during transmission, further enhancing security and helping organizations comply with PCI DSS’s data transmission requirements.
5. Protection Against Unauthorized Deletion
Assureon’s policy engine ensures that no data can be deleted or altered until the retention period has been satisfied. Even system administrators are unable to delete or alter data before the retention policy allows it, ensuring that cardholder data is preserved securely until it is no longer needed.
For added security, Assureon allows administrators to review files flagged for deletion before final approval. This helps organizations maintain control over their data while meeting PCI DSS requirements.
Benefits of Using Assureon for PCI DSS Compliance
- End-to-End Encryption: Protects stored cardholder data with AES-256 encryption.
- Automated Retention and Deletion: Ensures compliance with PCI DSS’s data retention policies.
- Comprehensive Audit Trails: Provides visibility into who accessed cardholder data and when.
- Secure Data Transmission: Uses TLS 1.2 to protect cardholder data during transmission.
- Strict Access Control: Enforces role-based access to limit who can view or modify data.
Conclusion
For organizations handling payment card data, compliance with PCI DSS v3.2 is essential. Nexsan’s Assureon offers a comprehensive solution that meets PCI DSS standards by providing encryption, secure retention and deletion policies, and detailed audit logs. By integrating Assureon into your organization’s storage infrastructure, you can ensure that sensitive cardholder data is protected, and that your organization remains compliant with PCI DSS v3.2.
For more details about how Assureon can support your PCI DSS compliance efforts, visit the Assureon product page.