Data protection for businesses in the modern, connected world is now more important than ever. It’s not always easy to protect data and all too easy to fall into the traps set by hackers and malware authors, especially when it comes to staff, who often inadvertently click on phishing links.
For those companies that accept credit card payments from their customers, ensuring those details remain secure is even more vital. It’s not just company data that needs to be protected and a breach can be a very costly affair in terms of fines, if it’s found that the requirements for PCI DSS regulations haven’t been met.
What is PCI DSS?
It’s the abbreviated term for Payment Card Industry Data Security Standards and compliance is an ongoing process for businesses, rather than (as many assume), a year-end audit. In order to ensure that your business is allowed to continue accepting customer card payments, it’s necessary for them to comply with twelve basic rules.
These surround security and how data is stored, accessed, moved or deleted and in order to comply, you must:
- Use robust security software solutions – an antivirus software package won’t do, it has to be layered, using firewalls too (hardware and software)
- Use strong passwords and not vendor defaults on routers, hardware firewalls, webcams, video conferencing equipment and so on
- Have firm policies in place concerning who can access the data
- Protect stored data with encryption and the correct access rights
- Implement risk management procedures
- Carry out monitoring and testing in order to successfully track access to cardholder data
Employees that need to access the data as a part of their job are the only people in the organization that should be able to. Even then, they should not be able to store information on their own devices, unless it’s encrypted and you are certain that the device is secure at all times. This is difficult to police though, so it’s not advisable as it will make compliance that much more difficult.
Companies should have a firm security policy in place too, in order to ensure that employees know the risks and how to avoid them. It’s also a good idea to have a good disaster recovery plan in place so that should the worst happen, the data isn’t lost.
PCI DSS for Merchants
There are also four additional categories for merchants:
- Merchants with more than 6,000,000 transactions taking place per year or those that have had data compromised in the past, or that the credit card company has classed as level 1
- 150,000 to 6,000,000 transactions per year
- 20,000 to 150,000 transactions per year
- Less than 20,000 transactions per year
Credit card companies such as MasterCard and Visa also may require an on-site visit to validate compliance and a network scan carried out by an approved scanning vendor. Merchants are defined as any business that accepts payment cards which bear the logo of the members of PCI SSC (Payment Card Industry Security Standards Council); these are:
- American Express
- JCB
- MasterCard
- Visa
- Discover
What Happens if you Don’t Comply?
If your business fails to comply with the standards, then you could be liable of a fine of between $5,000 – $100,000 per month, as well as the cost of any forensic audit. It’s also likely that the bank will terminate any agreement you have in place, or increase transaction fees. For smaller businesses especially, this can be enough to completely kill the company off, forcing them to either rethink the business model, or go out of business entirely.
The worrying thing about this is that even though many companies are compliant in their first year, a recent Verizon study found that many fail to maintain compliance. This is not just small businesses, as the study focused on 500 large organization from various industry sectors.
The research found that just 11.1% of businesses remained compliant between each formal assessment. This is due to the fact we mentioned earlier; PCI DSS compliance is an ongoing requirement all year round and not something that needs to be addressed just before the next audit.
Industries accessed in Verizon report
–You can download a copy of the full, 56-page report here (PDF).
While PCI DSS is not a law, the consequences of a breach to any businesses can be severe, so it’s not something that should be taken lightly. In fact, any company that is complacent when it comes to sensitive customer data will probably not be in business for very long. Consumers are demanding these days, and those who have been an active internet user for a long time will know that it’s take a while for consumer confidence to become high when it comes to making payments over the net.
Recent Security Breaches
Currently, there appears to be a string of credit card data breaches affecting payment systems. One of the latest attacks took place on Sally Beauty Supply, based in Denton, Texas. The banks tracked the stolen credit cards, which appeared on sale in an underground crime store, back to the business and the company confirmed that it had identified an intrusion on its network.
It’s unfortunate that this is a common story and retailers in particular should be aware that it’s possible to hack into actual POS terminals, increasing the need for high-end protection and constant monitoring if they’re to ensure compliance and data safety.
As you can see, credit card breaches are a costly affair and when it comes to security, this is just the tip of the iceberg. Malware, phishing, mobile malware – all of these are worth big money to cybercriminals and the worst of it? It’s the criminals that are winning. With this in mind, it’s worth educating your staff on the dangers of malware in order to ensure that breaches don’t occur through an unsuspecting staff member clicking on a malware-infected link.
If you believe that your customer data may have been compromised, then check out this PDF from Visa, which gives advice on what steps to take next.
Making PCI DSS Compliance Easier
Many businesses fail audits due to not having the staff or resources to take care of monitoring all of the time. Network administrators are often very busy people whose jobs involve numerous functions.
This can be applying software patches for operating systems and a variety of software, setting up workers on the system, troubleshooting end-user issues and hardware and much more. However, monitoring software can make the job of the administrator much easier as it automates processes that would otherwise have to be carried out manually.
For example, if a file that’s important to complying with PCI DSS standards is moved, altered or deleted, the administrator will be alerted and will be able to discover exactly who on the network made the change. It also quickly flags an attempt that may be made from an outside source to access the network.
This makes it much easier to carry out compliance all year round, without the need to employ more staff. It’s a cost-effective solution for many businesses and one that’s becoming increasingly used, as more and more companies get caught out during an audit.
Tips to Help Pass an Audit
Firstly, it’s advisable to check out more than one assessor. While there is a certain standard that has to be attained, like anything else in life, not all are created equal.
Ask around, do other businesses that you deal with have any recommendations? Perhaps your monitoring software vendor will have a suggestion. Whatever the case, research each auditor in order to determine experience and capability. Ask how many audits they carry out in a year and look for those that have carried out around 20 as a good indicator of their grasp on the process.
Checklists and Pre-Audit Assessment
Before you plunge into the audit, it pays to make sure that you’re as prepared as possible. You don’t have to do this yourself, you can employ a consultant to come and help you with this and they should be able to tell you how close you are to compliance. A checklist will help to ensure that you’re prepared in terms of what kind of documentation you will need to have in hand, what logs you need to have prepared and so on.
Don’t make the mistake of waiting until the auditor arrives before collecting all of the necessary information, as this will just lengthen the process, costing you more money. The more prepared you are, the better off you will be. To make sure of this, go through the requirements with your IT team to ensure that you all understand what’s necessary.
It’s not overly difficult to comply with PCI DSS, but still many companies fail every year. For the most part, this is because once an audit has been carried out, the business sweeps it under the carpet and forgets it for another year.
It’s important to understand that it’s something that should be high on the agenda all of the time. Protecting credit card data is vital to the health of your company, so why would you risk that through sloppy practices?
Use file monitoring software and ensure your security is as tight as it can be at all times, educate staff on security policies and procedures and follow the standards for PCI DSS compliance success.