The consequences of failing to meet the requirements for protecting cardholder data are significant. Not only are there fees for non-compliance with PCI (Payment Card Industry) standards, the fallout from a data breach can be costly, both in terms of dollars and tarnished reputation.
Unfortunately, achieving and maintaining PCI compliance can be a tremendous burden on merchants. So, what’s the best way to handle sensitive data? Never handle it at all.
Leverage the Expertise of a Technology Provider
In order to understand PCI regulations and develop or modify a software application to ensure compliance, you have to invest a great deal of time, money, and resources. Leveraging the skills of a company that specializes in this area is a more efficient and effective approach.
At Base, we have over a decade of experience in credit/debit card and ACH payment acceptance solutions, and we’re experts in data security. That expertise is on full display in our CypherPay™ E2EE (end-to-end encryption) solution. The framework, accessible through Prebuilt SDKs (software development kits), prevents cardholder data from entering your environment by encrypting it at the point of entry and producing a unique key for each transaction. This results in significant PCI compliance scope reduction, enhanced protection of consumer data, and a decreased exposure to risk for merchants.
CypherPay™: A Certified Solution
Given what’s at stake when it comes to data security and sensitive cardholder information, the last thing you want to do is trust a solution that you believe will address your PCI compliance challenges or implement an E2EE product simply because the company that produced it claims it’s effective. You want proof that the solution works.
That’s why we engaged Sysnet Global Solutions, a global cyber security company that provides assessment and consulting services in more than 60 countries, to put CypherPay™ to the test. The results not only reassure our existing customers that their data is well protected, the findings should instill confidence in any organization considering the solution.
Merchants who implement CypherPay™ save time, effort, and money each year as it addresses the 12 requirements of the payment card industry data security standard (PCI-DSS):
- Install and maintain a firewall configuration to protect cardholder data.
- Do not use vendor-supplied defaults for system passwords and other security parameters.
- Protect stored cardholder data.
- Encrypt transmission of cardholder data across open, public networks.
- Protect all systems against malware and regularly update anti-virus software or programs.
- Develop and maintain secure systems and applications.
- Restrict access to cardholder data by business need to know.
- Identify and authenticate access to system components.
- Restrict physical access to cardholder data.
- Track and monitor all access to network resources and cardholder data.
- Regularly test security systems and processes.
- Maintain a policy that addresses information security for all personnel.
“Our evaluation covered many areas including validation of the encryption mechanisms from encryption endpoints to the Base CDE decryption environment, cryptographic key management principles alignment with NIST 800-57 and PCI SSC P2PE version 2.0 rev1.1, and implementation of PKI for payload encryption and decryption,” says Jeff Montgomery, SVP – Cyber Risk at Sysnet. “We also reviewed implementation of secure communication channels using TLS 1.2, conducted a forensic investigation of end point systems via FTK and Autopsy to determine the existence of any latent cardholder data or sensitive authentication data post authorization to transactions, and performed transactions for each of the envisaged payment channels, including POS, as per POI list, and e-Commerce-based transactions. CypherPay™ exceeded the required standards in all areas.”
You can learn more about Sysnet’s assessment of CypherPay™ in the whitepaper they produced detailing the findings of their extensive certification process. If you have questions about the report or our suite of payment processing solutions, we’re happy to answer them.