Over the past several months, a barrage of news stories and opinion pieces has sent a worrisome message: The payment security war is being lost because PCI standards are failing us.
This defeatist belief that the hackers have won and any business can be breached—or already has been—can paralyze small and large businesses alike. The truth is, well-known breach studies have shown that the vast majority of attacks would have failed had the most basic defenses been put in place.
These defenses can be scaled to both the size and budget of the organization, leaving no logical reason to avoid taking action steps to combat the threats. If you’re looking at PCI compliance with shoulders shrugged and head shaking, not knowing where to start, here are 3 ways you can avoid falling into the paralysis of doing nothing at all:
This is a no-cost solution that is also critical to the business’s security well being. Larger companies and non-profit organizations like hospitals and colleges should consider investing in social engineering projects that locate gaps in employees’ security awareness.
Many experts predict that social engineering attacks will only increase in the future. It’s crucial that each employee understands the role they play in the business’s data chain. Each person who interacts with sensitive data or the systems that handle it must be educated on the common tactics hackers use to steal information. Check out ControlScan’s webinar replay on social engineering, “Social Engineering: Hacking into the Human Mind.”
Even if your business doesn’t have a dedicated IT group, it will benefit from someone being formally assigned the role of understanding and monitoring basic security functions. This assignment carries with it the responsibility to keep business systems current with the latest patches and updates, as well as to consider the security impacts of website and physical POS changes.
Whether accepting customer payments over the phone, by fax, in person or online, it is always a best practice to immediately process that information and purge any remnants such as paper copies. Businesses that store payment information, either in hardcopy or electronic form, are putting themselves at a much more significant risk for breach. Encryption and tokenization solutions should also be employed to maintain the security of data in motion and at rest.
My mantra is Start Somewhere! Many breaches are preventable; they still tend to be unsophisticated and can be repelled with strong, basic defenses. Start with vulnerability scanning, but think about adding network penetration testing as soon as possible. If you have developed Web applications this is even more critical.
The bottom line is that the PCI DSS can and does work for those who view it as an opportunity to protect their business assets from data thieves. The key is to view it from a daily process basis with security as the primary focus. PCI compliance shouldn’t be viewed as a burden, but rather a natural extension of the business’s daily commitment to people, processes and technology.
Looking for expert guidance?
Prepare for the worst yes, but get some peace of mind by knowing you are doing all you can, within your power and available resources. Learn how can ControlScan can help you simplify PCI DSS.