November 2007

We are pleased to announce that the EFT/400 Encryption module is now available to all our EFT customers.

The module addresses the following PCI requirements:

Requirement 3: Protect stored cardholder data

Encryption is a critical component of cardholder data protection. If an intruder circumvents other network security controls and gains access to encrypted data, without the proper cryptographic keys, the data is unreadable and unusable to that person. Other effective methods of protecting stored data should be considered as potential risk mitigation opportunities. For example, methods for minimising risk include not storing cardholder data unless absolutely necessary, truncating cardholder data if full Primary Account Number (PAN) is not needed and not sending PAN in unencrypted e-mails.

Requirement 7: Restrict access to cardholder data by business need-to-know

This requirement ensures critical data can only be accessed by authorised personnel.

7.1 Limit access to computing resources and cardholder information only to those individuals whose job requires such access.

7.2 Establish a mechanism for systems with multiple users that restricts access based on a user’s need to know and is set to “deny all” unless specifically allowed.

Features:

Credit card numbers are masked and only last 4 digits of card are generally available unless the user is authorised to see the whole number. Data is Encrypted using AES 256 bit encryption Access to full data restricted to ‘need to see’ users by security access cards Encryption key management included Full Audit trail of card data enquiries.

Quick and easy Implementation:

Software will be issued on CD with 2 security access cards despatched separately User libraries will be issued with appropriate changes A one-time routine is provided to encrypt current data and remove observable data on EFT files.

What do I need to do next? You can speak to us to find out how we can help you.