In the Digital Age, frequent dangers lurk just beyond any invisible data horizon. For credit cards, the means by which a great deal of people engage as consumers both on and offline, the threat of fraud can be discomforting, as it has the potential to wage a heavy toll on one’s way of life. In 2015 alone, global credit card and debit card fraud resulted in losses amounting to $21.84 billion, an increase from the previous year. To make matters even worse, the United States sees 47 percent of the world’s card fraud despite accounting for only 24 percent of the world’s credit card volume.
Aside from the precautions that consumers can take, reliable encryption is necessary for securing the protection of credit cards. According to ANSI X9.119-1-2016 – Retail Financial Services – Requirements for Protection of Sensitive Payment Card Data – Part 1: Using Encryption Method, “protection” refers to maintaining the secrecy of data from unauthorized disclosure. This standard defines an assortment of security guidelines for employing encryption methods in the protection of sensitive payment card data.
The sensitive payment card data elements addressed within ANSI X9.119-1-2016 include:
- Cardholder Name
- Primary Account Number
- Expiration Date
- Service Code
- Discretionary Data
- Full Track Data or Equivalent Track Data
- Manually Entered Security Validation Code (e.g. CVV2, CVC2, and CID2)
The second-to-last element listed above, “Track Data”, typically refers to the data stored on the magnetic stripe of a payment card. Similarly, “Equivalent Track Data” is used for the same fields stored in Integrated Circuit (IC) Cards. However, please note that sensitive payment card data can also be manually keyed into a payment system.
The ANSI X9.119-1-2016 standard looks closely at these different elements and sets forth a series of stipulations on how they can be protected. Specifically, it offers guidance for the protection of sensitive payment card data outside of a SCD (Secure Cryptographic Device, which, as defined in ANSI X9.97-1-2009 (R2017) – Financial services – Secure Cryptographic Devices (Retail) – Part 1: Concepts, Requirements and Evaluation Methods, provides physically and logically protected cryptographic services and storage”) and prior to the point of decryption.
For these different element-specific data protection guidelines, the standard uses the terms SHALL, SHALL NOT, or SHOULD to establish whether they are to be stored or protected in certain instances to assure compliance with the standard.
Furthermore, ANSI X9.119-1-2016 also provides guidelines to follow for data encryption algorithms and the prevention of dictionary attacks.
ANSI X9.119-1-2016 does not address Methods of cardholder authentication, such as PIN codes, or security requirements for protecting the sensitive payment card data at the point of entry prior to entering a SCD.