Data Security

At premiercallcentre.co.uk UK's leader in Call Centres can help you with Data Security; we cover all aspects of the Data Security industry to help your company succeed. Our office is UK centralized and is used for the purpose of working as an advisor to companies to support and advise on any Data Security solutions.

Data security is the means of ensuring that data is kept safe from corruption and that access to it is suitably controlled. Thus data security helps to ensure privacy. It also helps in protecting personal data.

Disk Encryption

Disk encryption refers to encryption technology that encrypts data on a hard disk drive. Disk encryption typically takes form in either software or hardware. Disk encryption is often referred to as on-the-fly encryption ("OTFE") or transparent encryption

Hardware based Mechanisms for Protecting Data

Software based security solutions encrypt the data to prevent data from being stolen. However, a malicious program or a hacker may corrupt the data in order to make it unrecoverable or unusable. Similarly, encrypted operating systems can be corrupted by a malicious program or a hacker, making the system unusable. Hardware-based security solutions can prevent read and write access to data and hence offers very strong protection against tampering and unauthorized access.

Hardware based or assisted computer security offers an alternative to software-only computer security. Security tokens such as those using PKCS#11 may be more secure due to the physical access required in order to be compromised. Access is enabled only when the token is connected and correct PIN is entered. However, dongles can be used by anyone who can gain physical access to it. Newer technologies in hardware based security solve this problem offering fool proof security for data.

Working of Hardware based security: A hardware device allows a user to login, logout and to set different privilege levels by doing manual actions. The device uses biometric technology to prevent malicious users from logging in, logging out, and changing privilege levels. The current state of a user of the device is read by controllers in peripheral devices such as hard disks. Illegal access by a malicious user or a malicious program is interrupted based on the current state of a user by hard disk and DVD controllers making illegal access to data impossible. Hardware based access control is more secure than protection provided by the operating systems as operating systems are vulnerable to malicious attacks by viruses and hackers. The data on hard disks can be corrupted after a malicious access is obtained. With hardware based protection, software cannot manipulate the user privilege levels; it is impossible for a hacker or a malicious program to gain access to secure data protected by hardware or performs unauthorized privileged operations. The hardware protects the operating system image and file system privileges from being tampered. Therefore, a completely secure system can be created using a combination of hardware based security and secure system administration policies.

Payment Card Industry Data Security Standard

The Payment Card Industry Data Security Standard is a worldwide information security standard assembled by the Payment Card Industry Security Standards Council (PCI SSC). The standard was created to help organizations that process card payments prevent credit card fraud through increased controls around data and its exposure to compromise. The standard applies to all organizations which hold, process, or pass cardholder information from any card branded with the logo of one of the card brands.

The standard is maintained by the Payment Card Industry Security Standards Council, which maintains both the PCI DSS and a number of other standards, such as the Payment Card Industry PIN Entry Device security requirements (PCI PED) and the Payment Application Data Security Standard (PA-DSS).

Validation of compliance can be performed either internally or externally, depending on the volume of card transactions the organization is handling, but regardless of the size of the organization, compliance must be assessed annually. Organizations handling large volumes of transactions must have their compliance assessed by an independent assessor known as a Qualified Security Assessor (QSA), while companies handling smaller volumes have the option of self-certification via a Self-Assessment Questionnaire (SAQ). In some regions these SAQs still require signoff by a QSA for submission.

Enforcement of compliance is done by the bodies holding relationships with the in-scope organizations. Thus, for organizations processing Visa or MasterCard transactions, compliance is enforced by the organization's acquirer, while organizations handling American Express transactions will deal directly with American Express for the purposes of compliance. In the case of third party suppliers such as hosting companies who have business relationships with in-scope organizations, enforcement of compliance falls to the in-scope company, as neither the acquirers nor the card brands will have appropriate contractual relationships in place to mandate compliance. Non-compliant companies who maintain a relationship with one or more of the card brands either directly or through an acquirer risk losing their ability to process credit card payments and being audited and/or fined.

Controversies and criticisms

It is suggested by some IT security professionals that the PCI DSS does little more than provide a minimal baseline for security.

Still others believe that PCI DSS is a step toward making all businesses pays more attention to IT security, even if minimum standards are not enough to completely eradicate security problems.

Companies have had security breaches while being registered as PCI DSS compliant. In 2008 one of the largest payment service providers, Heartland Payment Processing Systems, suffered a data breach which has been estimated by some as exceeding one hundred million card numbers. Other notables include the Hannaford Brothers and the Okemo Mountain Resort, each of which was PCI compliant. It has been noted that this may be an indication of the limits of a snapshot certification; the evaluation cannot ensure that the target company will maintain the good practices seen in an audit. This explanation does not; however seem to explain the compromise of merchants such as Hannaford Bros Co, which received its PCI DSS compliance certification one day after it had been made aware of a two-month long compromise of its internal systems.

The definition of compliant has also been open to interpretation, especially regarding how temporary such a declaration might be. Declaring a company compliant appears to have some temporal persistence, yet the PCI Standards Council General Manager Bob Russo indicates that liabilities could change depending on the state of a given organization at the point in time when an actual breach occurs.

Similar to other industries, a secure state could be more costly to some organizations than accepting and managing the risk of confidentiality breaches. However, many studies have shown that this cost is justifiable.

Other PCI standards

The PCI Security Standards also include:

• PIN Entry Device (PED) Security Requirements

PCI PED applies to manufacturers who specify and implement device characteristics and management for personal identification number (PIN) entry terminals used for payment card financial transactions. Merchants should use only PIN entry devices that are tested and approved by the PCI SSC. Authorized devices are listed at: List of PCI Approved PIN Entry Devices.

• Payment Application Data Security Standard (PA-DSS)

The PA-DSS is for software developers and integrators of payment applications that store, process or transmit cardholder data as part of authorization or settlement when these applications are sold, distributed or licensed to third parties. Most card brands encourage merchants and third party agents to use payment applications that are validated independently by a PA-QSA company and accepted for listing by the PCI SSC.

PA-DSS

The Payment Application Data Security Standard (PA-DSS), formerly referred to as the Payment Application Best Practices (PABP), is the global security standard created by the Payment Card Industry Security Standards Council (PCI SSC). PA-DSS was implemented in an effort to provide the definitive data standard for software vendors that develop payment applications. The standard aims to prevent developed payment applications for third parties from storing prohibited secure data including magnetic stripe, CVV2, or PIN. In that process, the standard also dictates that software vendors develop payment applications that are compliant with the Payment Card Industry Data Security Standards (PCI DSS).

The future of PA-DSS

The future of these standards is somewhat vague, with Congressional attention giving rise to the possibility of governmental intervention. Regardless, meeting standards can prove expensive and time consuming for software vendors, with the current expense of PA-DSS certification outpacing other methods of compliance. Given the cost of compliance and certification, current or as of yet undetermined alternatives could emerge in the PCI standards compliance market.

Visit premiercallcentre.co.uk and get a free quote for data security and start making smarter business decisions today.