By: Terence Spielman and Denis Brooker
It’s seems that barely a week goes by without hearing about another major security breach at a mega-retailer, bank or other large organization.
One thing that many of these organizations have in common: most, if not all, were not compliant in at least one aspect of the Payment Card Industry (PCI) Data Security Standards (DSS).
PCI compliance – conceived 10 years ago as a way to ensure all companies that accept, process, store, or transmit credit card information maintain a secure environment – is comprised of 12 major focus areas and over 200 different checkpoint items. When a company fails just one of the items, it fails the entire audit.
PCI compliance: An ongoing journey, not a destination
Why do organizations fall short? Often, they’ll pass one audit inspection and gain a “false” sense of security about its standards for a long duration of time. They may apply patches over the short-term, but after a while, standards slowly begin to slip, and they don’t make the effort to become compliant again until the next examination cycle.
Meeting standards at one point in time doesn’t prevent your organization from being victimized in the future. PCI standards are evolving along with the complexity of hackers’ tactics, so it’s important to stay current.
PCI compliance may represent a significant investment for organizations, but it does provide long-term benefits. Besides the obvious benefit of reducing the risk of data breaches, it can also:
• Create and reinforce a stronger operational culture, as well as tighten operational processes and procedures in other areas of the business, such as customer service and support.
• Encourage greater investments in products that create better architecture and more well-designed and documented interfaces and contracts for system components. Applying greater “security constraints” can actually help modularize elements of your system and condense functionality for more durable and resilient applications.
How can you build a compliance culture?
Ensuring PCI compliance demands that organizations instill a sense of culture and ongoing compliance commitment at all times—not just during audit cycles.
That means getting executive buy-in for resource support and prioritization within the organization. Ensure that everyone—from executives to administrative staff—understands its importance, and is committed to learning more about it.
This commitment is key because employees can often be “the weakest link” in your organization when it comes to security. Most employees have unfettered access to systems, and when their workstation credentials become comprised, it grants hackers an easy pathway to internal servers/networks and confidential information.
For example, during the data breach at Target, hackers broke into the retailer’s network using login credentials stolen from a vendor that performed work for Target at a number of locations. The attackers leveraged this access to move undetected through Target’s network and eventually used phishing scams to upload malware programs on the company’s Point of Sale (POS) systems.
Best practices to stay on top of PCI compliance
Stay up to date on patches. It may be difficult to keep up with the updates, but it’s critically important to apply them to prevent vulnerabilities before it’s too late. Studies show that when breaches occur, organizations frequently lacked the latest patches.
Use proper system administration. Ensure that the right people have access to systems, and eliminate access for former employees.
Implement network segmentation. Without segmentation, hackers can enter a corporate network such as a financial service processing platform and easily enter other platforms containing confidential data and information.
Conduct internal/external scanning of networks. Make sure you have access to security tools, such as cruising prevention, firewalls and authentication. And when your scans identify a weakness, take swift action to eliminate the vulnerability.
Invest in training the right people. Recruit and groom experienced talent. It’s not practical for organizations to reallocate “inexperienced” resources from other areas of the organization and place them in more demanding security roles.
Stay compliant—and limit breach opportunities
As we’ve learned from recent security breaches, hackers are becoming more sophisticated at finding ways to gain entry into secure networks and systems. But PCI compliance standards are evolving and growing more advanced as well.
There’s no guarantee that PCI compliance will make your organization 100% hacker-proof.
But by implementing these key best practices and keeping up with evolving PCI standards, you can stay compliant and dramatically lower your risk.
Remember, network security is not a destination—it’s an ongoing journey.
Terence Spielman is Vyze’s chief technology officer and has been recognized as CTO of the Year by the Austin Business Journal.
Denis Brooker is Vyze’s vice president of information security.