Advertisements surround us, from what we see on billboards, posted within brick-and-mortar storefronts, and online ads on the Internet and social media platforms. Some would argue we live in a world of consumerism where credit, the suggested way to buy, is king. According to T SYS’ annual survey (2016), for the first time, American consumers preferred swiping their credit card (40%) versus their debit (35%). And, if you’re curious, cash came in last, which boasted a measly 11%. This information goes to show that meeting PCI-DSS requirements is now more important than ever, especially given that, as the report points out, 74% of consumers would choose the credit card with the best security and fraud protection over the credit card with the biggest rewards; in other words, consumers value security highly.
What we’re getting at is that compliance with the payment card industry data standard (PCI-DSS) is important not just from a security perspective but a financial one as well. Put another way, business owners have everything to gain from adopting these policies and procedures and little to lose.
We’ll explain more why this is the case, as well as what the PCI-DSS exactly is and how cybersecurity can help business owners comply with it, mitigating credit card data from getting in the wrong hands. Read on to find out.
PCI-DSS Demystified: What It Is
In 2004, five credit card companies came together (i.e. American Express, Discover, JCB, MasterCard, and Visa) to create a set of policies and procedures that would protect cardholder information. These standards would apply to every entity that deals with cardholder data, whether that’s storing, processing, or transmitting it, or a combination of the three. So, PCI-DSS was born.
PCI-DSS Demystified: The 3 Main Steps
In a nutshell, PCI-DSS is comprised of 3 main steps: assess, remediate, and report. Here is what is involved in each step:
Think of this step as the equivalent of Identify, the first core function of the NIST framework. In this step, business owners need to identify the vulnerabilities in their card-process ecosystem. This means they need to know where these vulnerabilities (i.e. IT assets, cardholder data, payment card processing…) are and how they plan to fix them.
Businesses then fix the vulnerabilities. This could mean setting up stronger firewalls and better encrypting card data information. Or considering to not store the card data at all.
In this step, business owners show that they’re in compliance with the PCI-DSS. They do this by forming and submitting validation records and compliance reports. As the PCI Security Standards Council states, this information would be sent to the acquiring banks and card companies they’re doing business with.
Here’s Where Cybersecurity Factors In
Cybersecurity helps businesses owners comply with the PCI-DSS objectives. Learn what these objectives are:
Objective #1: Have a Secure Network
The PCI-DSS outlines that your network must have strong firewalls that will stand a fighting chance against cyberattacks. At the same time, the firewall shouldn’t make it impossible (or even hard) for cardholders to access their data and use the network. Other ways to increase your network and comply with PCI-DSS involves requiring cardholders to use a self-created PIN and password to get into the network.
Objective #2: Encrypt Cardholder Information
Anything that has to do with cardholder information — social security numbers, birth dates, mailing and billing addresses, etc. — must be encrypted. To understand why this is important, ask yourself, if this information got in the wrong hands, how could it be potentially damaging?
For one, although it’s not recommended, several people still use their birth dates (or at least part of them) for their passwords. And, since people need so many passwords, many use the same one; it’s easier to remember. If a hacker got access to a cardholder’s birthdate —something that seems harmless — he or she could gain access into the cardholder’s bank accounts, social media, etc. and, in fact, do a lot of harm.
Objective #3: Your System Needs to Be Updated…Regularly
Anti-virus, anti-spyware, and anti-malware solutions need to be installed and updated regularly so that you can protect cardholders to the best of your ability from cyber attackers. If your system needs to be updated, update it. If it has vulnerabilities, patch them up. If the latest version of a-more-reliable-security-program has been released, get it. Think of this objective as going with the “Assess” step in the PCI-DSS compliance cycle. You’re taking steps to fortify your cyber defense.
Objective #4: Control Who Can Operate the System
Cardholder information needs to be protected with a unique PIN and password. However, this goes further than online. Use a shredder and lock dumpsters to not give opportunists reason to look in the trash and dig up sensitive information.
Objective #5: Pen Testing and Monitoring Are Best Friends
What we’re saying is that frequent penetration or pen testing and 24/7 monitoring steps needs to be taken so systems and cardholder information are well protected.
Why is this important?
White hackers (aka the good guys) can spot new weaknesses and/or vulnerabilities that were overlooked minus the hassle and damage that comes with a real cyberattack. That said, pen testing needs to be done more than a yearly basis. Look at it this way, the more testing you do, the better your system will be.
Objective #6: Create a Security Policy, And Stick with It
What if you’ve done all that you could but a hacker still manages to weasel his/her way in? Who do you contact? What if an employee with access to the system forgets to update his/her password? To deal with these potential scenarios, you need to construct a security policy… and stick with it. This means going over it and updating it routinely. It also means requiring your employees to know it.
Go the Extra Step
With your employees, practice the security policy by responding to white hackers and pen testing. From practice, you’ll learn what part of the security policy you need to go over.
CBI Can Help
CBI, for Cyber Security Solutions, can help you comply with PCI-DSS. We provide pen testing, white hat hacking, monitoring assistance, and offer an array of anti- virus, malware, and ransomware solutions. Check them out, as well as our blog for more cybersecurity information.