Enabling cardholder data encryption

Create encrypted attributes to hold sensitive cardholder data.

In the next step, you must activate PCI DSS-compliant encryption of cardholder data to be stored in IBM® Safer Payments. To comply with PCI DSS requirement 3, do not process sensitive authentication data.

If you intend to store the Primary Account Number (PAN) in IBM Safer Payments, you must enable encryption for this data attribute in IBM Safer Payments as defined in PCI DSS requirement 3.5.1.

Attribute names can be chosen freely in IBM Safer Payments. However, in this documentation, the attribute for the Primary Account Number is named PAN.

  1. Log on with a user account that has at least the following privileges:
    Figure 1. Role settings required for cardholder data encryption
    The image shows a user account. The General Settings section is shown. Name is set to PA-DSS. Comment is set to Minimum set of privileges required to configure PA-DSS. Mandator is set to Technical Head Mandator. The following permissions are selected: Model > Decision Models > Edit. Then Data caches, Inputs/outputs, Change I/O encryption, and Message mapping.
    Note: Refer to the online documentation for details about user access administration.

    For more information about logging on, see Starting the first cluster instance.

  2. Click the Model tab.
    Figure 2. Model - Technical Head Mandator
    This image is explained in the surrounding text.
  3. Click the checkbox for the Champion entry.
  4. Click the Copy icon (Copy) icon.
  5. Click the newly created Challenger entry.
  6. Select Data model > Inputs from the navigation menu.
    Figure 3. Own Input Attributes
    This image is explained in the surrounding text.
  7. Click the alt attribute (New input) icon to create a new attribute.
  8. The New Attribute form opens.
    Figure 4. New attribute form
    This image is explained in the surrounding text.
    Note: To be PCI DSS-compliant, you must now enable encryption for the PAN attribute. For all other sections not relevant for PCI DSS, refer to the online documentation.
  9. Enter PAN in the Name field and select the checkbox in the Encrypted field. Complete the remaining fields as needed to meet your requirements.
  10. Click the Save icon (Save) icon to save the new attribute.
  11. You can now define other attributes that are required for your specific IBM Safer Payments application. To comply with PCI DSS, make sure that no sensitive authentication data is defined.
  12. Next, select Review overview > General from the navigation menu.
    Figure 5. Activate changed revision
    This image is explained in the surrounding text.
  13. Click the golive (Golive) icon. The decision model is now being activated and all data that is stored in the PAN attribute is encrypted.