Verizon recently published its 2015 Compliance Report which got me thinking about the state of PCI Compliance and whether or not we’ve made any progress on the security front. While the report found an 80 percent increase in the number of companies that are validated as Payment Card Industry Data Security Standard (PCI DSS) compliant, four out of five companies are still failing which means progress is slow. Add to that the planned move to chip-and-PIN cards in October, which ultimately shifts fraud liability to merchants, and achieving PCI compliance becomes even more critical.
With cyber attacks becoming much more advanced, the PCI DSS standard has been forced to adapt to address these new threats. But PCI compliance is something that any organization can successfully achieve. Here are some easy steps to follow to improve the security of customers’ payment card data.
PCI 3.0: Get to Know the Latest Requirements
PCI DSS 3.0 went into effect earlier this year and aims to drive organizations to not only consider security measures when dealing with payment card data, but also building security practices into their daily operations. The best thing about PCI requirements is that they provide an excellent checklist for protecting cardholder data. PCI 3.0 includes increased education and awareness due to the evolving nature of the threat landscape, especially when it comes to passwords, which are still a weak point for many organizations.
Version 3.0 also includes new guidance on how organizations can implement a strong and effective vendor risk management framework and how to outsource PCI DSS responsibilities. Lastly, Version 3.0 includes new methodology for penetration testing, a solution that is now essential for defending against cyber attacks.
Implement a Risk-Based Approach to Security
Unlike previous versions of the PCI DSS, 3.0 emphasizes risk-based security. Companies must look at their current strategies and vulnerabilities to determine and prioritize the associated risks within their organization.
Security teams are often challenged with limited resources, making it difficult for them to identify and remediate security threats in a timely and cost effective manner. A risk-based approach eliminates the constraints security teams face and provides them with the tools necessary for prioritizing and remediating vulnerabilities based on risk.
Protect Stored Card Data
If you don’t store cardholder data, then compliance with this PCI requirement is automatic. But if your organization does store sensitive credit card data, keep it to a minimum and add additional controls, especially encryption, to prevent access to the data. When encrypting data at rest, use strong and validated cryptographic keys and algorithms and ensure that the keys used for unencrypting the data are tightly controlled and protected. Also, never store sensitive authentication data.
Oftentimes, organizations forget that cardholder data may be stored in data warehouses, servers, backup systems, desktops or other systems, so it’s important to continuously analyze your businesses’ card processing applications to find out exactly where cardholder data resides at all times.
Regularly Test Security Systems and Processes
PCI compliance should not be seen as a point-in-time assessment to achieve annual certification. Rather, it should be managed on a continuous basis and embedded into a company’s day-to-day business operations. An annual certification doesn’t guarantee that you’ll be in technical compliance weeks or months after certification. New vulnerabilities appear daily due to flaws in software, faulty configuration of security tools and applications and even human error. As such, you must continuously assess, remediate and report your organization’s compliance with PCI requirements.
Maintain a Vigilant Policy Compliance Program
Internal and external auditors require evidence of how organizations are meeting the requirements of multiple regulatory mandates, industry standards and compliance frameworks. Maintaining a vigilant policy compliance program using automated management processes enables companies to reduce risk and continuously provide proof of compliance. Additionally, a policy compliance program helps identify and assess key security settings in your systems, which indirectly helps improve PCI compliance.
The requirements of PCI DSS are clear, but take work to accomplish across an organization. The above are a sampling of some best practices, but it’s also important to look for a solution that provides your business with an easy, cost effective and highly automated way to achieve compliance with PCI DSS. Keeping up-to-date with the requirements will benefit your business in the long term.
In today’s digital landscape, it’s much easier for criminals to access sensitive payment card data, not only gaining direct access to a consumer’s available funds,
but also their personal identity. By taking a risk-based automated approach, organizations can quickly and cost-efficiently achieve PCI compliance.