HPE NonStop customers run some of the largest and most challenging IT environments in the world. For those processing sizeable volumes of cardholder data, there is an extra burden: compliance with PCI DSS 4.0. With the deadline for the latest version of the card data security standard passing in March, the race is now on to ensure all in-scope systems meet its main requirements. For most organizations, that will start with protecting the data itself.
The “what” and “why” of PCI DSS
PCI DSS is fundamentally an effort by the payment card industry (PCI) to enforce best practice cybersecurity processes on any organization that stores, processes, or transmits cardholder data (CHD) and/or sensitive authentication data (SAD), or that could impact the security of the cardholder data environment (CDE). In practice, this means it covers a large number of merchants, processors, acquirers, issuers, and other providers.
In their efforts to keep pace with technology innovation across the PCI threat landscape, the creators of the standard have introduced scores of new requirements for PCI DSS 4.0. Among other things, these will demand stronger data protection, but also allow for greater flexibility in how organizations comply, thanks to a new customized approach.
Such efforts are sorely needed. The US financial services sector was suffered more data breaches than any other in Q1 2025, according to data from the Identity Theft Resource Center (ITRC).
What’s in scope for NonStop customers?
PCI DSS regulators are clear about how they view compliance with the standard: it should be seen as a continuous process of improvement, rather than a “one-and-done” tick-box exercise. In this way, organizations can avoid the vicious cycle of compliance lapses, short-term remediation prior to assessment, then more lapses post-assessment. Security, in short, must be built into the culture and fabric of the enterprise, as a responsibility of all employees, rather than viewed as an afterthought that is solely the remit of IT.
What does this mean in practice for NonStop customers? As our handy comforte ebook reveals, all but one of the main 12 requirements of PCI DSS 4.0 are relevant. However, several are linked to enterprise environments likely to be outside of the control of the NonStop group. The ones most relevant to NonStop managers are:
Requirement 2: Apply secure configurations to all system components.
Requirement 3: Protect stored account data.
Requirement 4: Protect cardholder data with strong cryptography during transmission over open, public networks.
Requirement 6: Develop and maintain secure systems and software.
Requirement 7: Restrict access to system components and cardholder data by business need to know.
Requirement 8: Identify users and authenticate access to system components.
Requirement 10: Log and monitor all access to system components and cardholder data.
Requirement 11: Regularly test security systems and networks.
We’d suggest that customers speak to their PCI DSS auditor in order to prioritize next steps. But a good rule of thumb would (in order of importance) be to:
- Obtain a list of all files containing primary account number (PAN) data
- Encrypt network traffic
- Follow secure coding practices
- Manage access control and auditing
- Encrypt backup tapes
- Encrypt data in databases
Starting with data protection
As a data protection specialist and HPE partner, comforte can help NonStop customers with a great deal of these efforts. Our SecureDPS offering is particularly important here—offering a streamlined way to automatically discover and classify sensitive data, wherever it resides across the enterprise, and then apply format-preserving tokenization in line with PCI DSS 4 requirements.
Crucially, it:
- Allows for strong protection of ENSCRIBE data with no code changes required
- Leaves data length unchanged, so tokenized PAN data can be stored in the same ENSCRIBE file as the original PAN data
- Intercepts all calls the app makes to open, read, write, etc, and tokenizes and detokenizes on the fly to comply with requirement PCI 3.4
- Can help reduce the cost and scope of compliance
- Enables protected data to continue being used for business purposes, such as analytics
To find out more about PCI DSS 4.0 compliance, and how comforte can help, please read our e-book: The Successful Way to Achieve PCI DSS Compliance – Update for PCI DSS 4.0.
Author
Be the first to comment