PCI Compliance Should Start with Security

While it’s true the Payment Card Industry Data Security Standard (PCI DSS) has helped curtail credit card fraud by requiring merchants to comply with its regulations, many merchants still don’t understand that merely meeting compliance goals does not mean their data is secure.

Many security and compliance experts now argue that PCI standards have become little more than a check-box activity leaving the retailer with the feeling they’ve accomplished the necessary steps they need to protect their data.

But the breaches continue and merchants are left paying fines, court and remediation costs while picking up the pieces of their reputation.

By adopting a risk-based approach to meeting security needs, you can meet both your compliance standards while better securing your data. One of the reasons we still see breaches is that PCI DSS simply does not cover every possible attack vector and many merchants don’t have a mature data security program.

Many merchants focus their energy on meeting these regulations and on preventative measures, alone. They forget they need to allocate some resources to identifying and investigating security events thoroughly. Some merchants have the proper controls in place, but do not react to alerts or have a plan to remediate them when they occur.

Sword & Shield believes that “drive-by” assessments, or assessments done solely to pass the requirements without further thought to overall security, are ineffective in preventing data breaches.

The PCI-DSS is considered a baseline security standard that is designed to provide guidance to merchants and service providers that process, store or transmit cardholder data. Most companies only enforce the standard 3 months out of the year when they are going through their annual PCI DSS assessment. Most don’t realize that the assessment is a snapshot in time and it is up to companies to maintain their compliance throughout the rest of the year.

The Verizon DBIR also recommends three steps toward minimizing POS attack risk:

  1. Review your vendors’ authentication: If you aren’t using two-factor authentication where you can, then you should. Also, because so many attacks come via vendors, you should seek partners that are using strong authentication too.
  2. Monitor and separate: Track who’s using your POS systems—how and when—to make certain they’re only being used by the right people. Separate the POS environment from the corporate LAN, so that it’s not visible to the entire internet.
  3. Use anti-virus software: Basic though it seems, our research shows there are too many POS devices with no anti-virus protection at all. So install it on yours and keep it updated.

For more information about how Sword & Shield can protect your network while attending to your compliance, please call us at 865-244-3500 or emails us at secureme@swordshield.com


Comments are closed.