Enabling cardholder data encryption

Create encrypted attributes to hold sensitive cardholder data.

In the next step, you must activate PA-DSS compliant encryption of cardholder data to be stored in IBM® Safer Payments. To comply with PA-DSS requirement 1, do not process sensitive authentication data.

If you intend to store the Primary Account Number (PAN) in IBM Safer Payments, you must enable encryption for this data attribute in IBM Safer Payments as defined in PA-DSS requirement 2.3.

Attribute names can be chosen freely in IBM Safer Payments. However, in this documentation, the attribute for the Primary Account Number is named PAN.

  1. Log on with a user account that has at least the following privileges:
    Figure 1. Role settings required for cardholder data encryption
    This image is explained in the surrounding text.
    Note: Refer to the online documentation for details about user access administration.

    For more information about logging on, see Starting the first cluster instance.

  2. Click the Model tab.
    Figure 2. Model - Technical Head Mandator
    This image is explained in the surrounding text.
  3. Click the checkbox for the Champion entry.
  4. Click the Copy icon (Copy) icon.
  5. Click the newly created Challenger entry.
  6. Select Data model > Inputs from the navigation menu.
    Figure 3. Own Input Attributes
    This image is explained in the surrounding text.
  7. Click the alt attribute (New input) icon to create a new attribute.
  8. The New Attribute form opens.
    Figure 4. New attribute form
    This image is explained in the surrounding text.
    Note: To be PA-DSS-compliant, you must now enable encryption for the PAN attribute. For all other sections not relevant for PA-DSS, refer to the online documentation.
  9. Enter PAN in the Name field and select the checkbox in the Encrypted field. Complete the remaining fields as needed to meet your requirements.
  10. Click the Save icon (Save) icon to save the new attribute.
  11. You can now define other attributes that are required for your specific IBM Safer Payments application. To comply with PA-DSS, make sure that no sensitive authentication data is defined.
  12. Next, select Review overview > General from the navigation menu.
    Figure 5. Activate changed revision
    This image is explained in the surrounding text.
  13. Click the golive (Golive) icon. The decision model is now being activated and all data that is stored in the PAN attribute is encrypted.