RiskBased released a report in November 2019, called Data Breach QuickView Report 2019 Q3 trends. Compared to Q3 2018, the total number of breaches was up 33.3 percent and the total number of records exposed more than doubled, up 112 percent. Of all the economic sectors that were affected, retail was the second, with the healthcare industry being number one. The report cites retailers as a close second, due to a continued interest in payment card data. Within this sector, more than three quarters of attacks included software creators, data processing, hosting and streaming services.
Who should be worried about it?
Therefore, PCI-DSS is a standard that is relevant for any company that processes or stores card data. Generally speaking, this will affect companies which operate in the retail sector, with a particular emphasis on retailers that use electronic payment software, but also those that have online shopping options for customers.
As well as this, you should consider other businesses that use payment technology on a site which you own. It is your responsibility to ensure that the card data of that business’ customers is protected.
If this applies to you, below we have gone into more detail about what PCI-DSS is, and recommendations as to how your company should go about implementing it.
What is PCI-DSS and how should I implement it?
PCI-DSS requires sellers and banks to protect clients’ sensitive data with strong cryptography. A key theme of PCI-DSS is the shared responsibility of security. Organisations are required to optimise compliance across the supply chain. Compliance optimisation is not easy, because many organisations have large supplier network and it is difficult to look into the policies and procedures that different partners have in place.
Failure to comply with the standards can result in fines and penalties being incurred and, naturally, companies that suffer a breach while not in full compliance will face both a fine, and the potential cost of a loss of business.
Fortunately, it is possible to efficiently secure payment card data. Here is some general advice on how to go about securing it.
Firstly, you must determine your PCI level. This is outlined below.
Solutions and implementation
PCI-DSS has 12 requirements that your company must address. These are
- Protect your system with firewalls
- Configure passwords
- Any stored cardholder data must be protected
- Encrypt transmission of cardholder data
- Use anti-virus software and regularly update it
- Update other systems regularly
- Restrict access to cardholder data to business need-to-know
- Assign a unique ID to each person with access
- Restrict physical access to cardholder data
- Implement logging management
- Conduct vulnerability scans
- Documentation and risk assessments
A key step is to understand the central problem in an existing payment system and take into account all weaknesses, regardless of whether it is within your own company or in a supplier network. In order to do this, you will have to outline where in the supply chain payments will be made, and then establish high levels of security to protect payment data. Alternatively, you could further outsource payment services to an accredited supplier.
This can take time and require many employees to assess vulnerabilities. Fortunately, you may already be meeting all of the requirements if you’re following requirements set out by GDPR or the Data Protection Act. You can also abide by this industry standard if you are already using a security product that encrypts and protects data.
Questionnaires can be a useful tool, but a key problem associated with them is that their results can only give you a snapshot of what is going on in your company at the time of its answering. You also have to factor in who from your company is answering the questionnaire and whether they know enough about the levels of security your company has in place prior to beginning a questionnaire. This is why, at C2, we have automated this process and answer questionnaires continuously, so as to give your company live updates on existing protections.
Once you have understood any problems that exist within securing card data, you can start going about solving them thanks to better visibility into that data across its own and suppliers’ networks. PCI-DSS requires that organisations must be transparent and show the route which cardholder data takes across systems and networks.
If your company has good visibility of cardholder data flow, it can then reduce the number of potential access points. You should seek to limit the points of entry to a payment environment and also limit the storage of that data within your systems. You should then work to maintain a secure network which protects cardholder information. You can either do this yourself or outsource this to a contractor which you trust. Should you outsource this, you must make sure that a vendor has appropriate levels of security in handling sensitive information.
PCI-DSS is an industry standard that you must meet if you are handling payment details of customers. In order to abide by it, you must first assess how many payments you process a year and then establish where the weaknesses are in the supply chain. You must also ensure that card details are kept secure.
>> Get in touch
>> Learn more