How to protect a credit card database

Richard Hollis
Hollis says deleting data is the best protection

Databases with credit card information are one of the most sensitive risk points of modern business. If cyber crooks can lift the data and steal from the customers it can wreak havoc with a company's reputation and possibly land it in the courts, but according to Richard Hollis too many are not doing enough to protect credit card details.

The CEO of The Risk Factory, a consultancy for information management services, describes the danger of database theft as "the biggest threat you can transmit on the web", and that black market prices for the data show it is growing.

"The going price 10 years ago for name, address, card number and expiration date was about £10 per record - so 10,000 would bring £100,000 - but now it's down to 50 pence and that's just supply and demand," he says.

PCI standards

The Payment Cards Industry Standards Council provides a framework of controls for protecting the data - 288 of them, extending into areas such as configuring firewalls, how to use antivirus software and security policies. While Level One merchants - those that handle more than one million transactions per year - need third party verification to show they comply, others can carry out a self-assessment that is signed off by a director.

But Hollis says it can be expensive to comply with the standards, even for a small company; one that uses a web facing architecture to process payments can easily pay in excess of £10,000. It can also be very time consuming, and if any of the process is outsourced the standards should be enforced at all stages.

He believes that full compliance is very rare, but sees the solution in simplifying the approach to managing credit card data, and advocates a five step approach that he claims can save money while reducing the risk.

"Number one is discover and document," he says. "You have to conduct an inventory of your card data. You can't shrink what you haven't measured.

"Draw a network diagram depicting your card data like a heat map, writing down all your devices to show where the data resides. For example, the data is on this server, that laptop, that desktop, etc.

"The next step is destroy and descope. If you don't need it get rid of it, whether it's hard or soft copy.

"Take your time and use your map. For example, if you have card data in Outlook because it's been sent to you by email, the web server is 'in scope' and all the 288 controls apply to it. So you have to ask 'Why do we need it on Outlook, why is it on memory cards, and then delete, delete, delete.

"Also, any third parties connected to your system are in scope. If you are connected and they don't need access to card data, take them out of scope.

"Third is outsource and oversight. If you can outsource that website and make it their responsibility you transfer the risk. You make sure you've got a contract that makes clear who is responsible.

"For instance, when somebody wants to buy your product, I can give them a payment gateway and they can go to a payment processor. You just contract for PCI compliance with the payment processor.

"Then if you can't do that, separate and segment. The 288 controls only apply to the architecture that facilitates the processing, storage and transmit of that data. Separate any device that is not involved in this, so it will move out of scope and you can save money."

Tokenisation

Hollis describes the final step as "tokenisation", taking the credit card numbers out of the process as much as possible. A web server can send credit card data to a token server, which disguises the credit card number and pushes a token – a different 16 digits - through the rest of the system for authentication.

Latest in Computing
Opera AI Tabs
Opera's new AI feature brings order to your browser tab chaos
Microsoft Surface laptop 7 on the left side versus Apple MacBook Pro M4 14-inch on the right side, TechRadar vs background
Microsoft Surface Laptop 7 vs. Apple MacBook Pro M4 14-inch: Mac and Windows go head to head once again
Apple WWDC 2025 announced
3 things Apple needs to do at WWDC 2025 to save Apple Intelligence, and why I'm convinced it will
Chat GPT-generated images along with source material
ChatGPT 4o image generation is so good we will never be able to trust iPhone renders (and photos) again
Discord Clyde
Discord's game overlay has seen a complete revamp - I've tried it, and it's one of the best updates ever
A young woman is working on a laptop in a relaxed office space.
I’ll admit, Microsoft’s new Windows 11 update surprised me with its usefulness, providing accessibility fixes, a gamepad keyboard layout, and PC spec cards
Latest in News
Buzz Lightyear Space Ranger Spin Rennovations
Disney’s giving a classic Buzz Lightyear ride a tech overhaul – here's everything you need to know
Hisense U8 series TV on wall in living room
Hisense announces 2025 mini-LED TV lineup, with screen sizes up to 100 inches – and a surprising smart TV switch
Nintendo Music teaser art
Nintendo Music expands its library with songs from Kirby and the Forgotten Land and Tetris
Opera AI Tabs
Opera's new AI feature brings order to your browser tab chaos
An image of Pro-Ject's Flatten it closed and opened
Pro-Ject’s new vinyl flattener will fix any warped LPs you inadvertently buy on Record Store Day
The iPhone 16 Pro on a grey background
iPhone 17 Pro tipped to get 8K video recording – but I want these 3 video features instead