The PCI DSS (Payment Card Industry Data Security Standard) is a set of twelve individual requirements that companies must conform to or risk stiff penalties and fines and possibly even the loss of the ability accept payment cards at all. A security breach is painful all around, yet many companies have yet to reach complete PCI compliance. Or, if they have validated their compliance, they begin to relax their standards, believing they have done everything necessary to keep hackers at bay.
This is, of course, a fallacy - and one that could prove very costly to merchants and consumers. PCI DSS compliance is not a static state of being. Hackers and criminals continue to employ new and more aggressive tactics, and, as such, merchants must be able to keep up with these changes. Complying with the PCI DSS does, in fact, require you to do just that.
But as merchants continue to experience breaches many studies are discovering that they have some problems in common. Some of these problems are:
Encryption practices that grow lax and inconsistent across a company's systems. As time goes by, sensitive information gets separated and some of it gets encrypted and some of it does not. Maintenance and vigilance is the only real way to make sure that his does not happen.
Storing unnecessary information after credit card transactions. Not only do companies store information that they shouldn't, but eventually that information will start moving around the system, and cross numerous less secure areas. This is exactly what the PCI DSS wants to prevent, and exactly what the criminals are waiting for.
Failing to properly track and log network activity. Again, this is a PCI DSS requirement, and one that can, after validation, begin to receive less attention. Without good logging procedures, however, it is almost impossible to discover what went wrong and who is responsible.
Regular scans of the network are also necessary. This means that throughout the year, and not just at the time of validation, these tests must be performed. These procedures are meant to help you discover any vulnerabilities and abnormal activities on your system or software.
These are just a few of the things that have caused many merchants many headaches in the past. So what can we learn from their experiences?
The first thing we can do is look at the common elements in these problems. The source of these failures is a lack of follow through - or maintenance or vigilance. Hackers can be a patient lot, and they'll be waiting for you to make a mistake. Through simple vigilance, a lot of these problems can be avoided. Why, then, do these issues keep cropping up?
The modern business world places many demands on the average business owner. And with these day-to-day tasks and demands on them, many merchants felt like they must (or can) procrastinate the more time consuming requirements of the PCI DSS in favor of these other necessities.
But this is not a good idea. While the overwhelming nature of the modern business environment is certainly understandable, the PCI DSS must be considered one of those day-to-day tasks that demand your attention.
Consider as an example the recent breach of a chain of grocery stores on the east coast. It wasn't the worst breach in recent history, but it did have a shocking element to it. As it turns out, the company had not too long before hand been validated as compliant with the PCI DSS.
What does this mean? Well, the investigation continues, but on the surface it could mean one of two things. The first is that the validation was somehow taken care of incorrectly. But the other is that the chain had become lax in its vigilance, and after validation let their adherence to the PCI DSS slip.
Whatever the case may be, the recent security breaches should be enough to show that only by consistent testing, vigilance, and maintenance can a merchant keep their customers' sensitive data protected.
没有评论:
发表评论