Reading Time: 3 minutes

PCI ComplianceThere is an epidemic of identity theft and financial fraud hat is costing businesses and consumers millions of dollars per year. Most of these incidents are the result of data breaches that compromised credit and debit card data. The cost of dealing with a data breach is bad enough, but the damage to your reputation with your customers and suppliers as a trust worthy business is incalculable.

Business in the internet age is more about trust than ever before. The entire system of card payments is dependent on card holders trusting the merchant with their card data. A loss of trust can be fatal to a business

The Payment Card Industry (PCI) Data Security Standards (DSS) are intended to ensure the integrity and security of credit card data used in transactions. The card payment services require merchants to comply with these standards, Failure to comply can result in large incident fines and even the suspension of the ability to accept cards.

Given the criticality of compliance, it is remarkable that Point of Sale (POS) systems are involved in the most data breaches and that most of those breaches could have been avoided by the most basis security measures, firewalls and antivirus protection

Those were among the finding of the last 2 annual Data Breech Analysis Reports by Verizon. As the threats to internet security grow and become well known, it is hard to believe that a business would fail to do the very basics required, but that is too often the case.

I suspect that many small and midsize businesses that can’t afford a large IT staff of their own still view POS systems as high tech cash registers and not networked computers, which of course they are. A retail POS system needs a personal firewall and antivirus scanner on it just the same as any other computer you hook up to your network.

Many also assume that because they use SSL they are also safe. SSL provides a critical layer of protection during interaction with customers. However, it does not protect the site’s network from attack and infection. SSL will prevent a hacker from intercepting data provided by the customer but does not prevent a hacker from infecting a web page so the customer downloads malware.

A common misconception among e-Business’ is they assume their web host will take care of all security. They don’t realize that for performance reasons web hosts do not do the type of antivirus scanning that we do on network computers. It is really up to the site owner to make sure their pages are safe, not just for compliance but to protect their customers.

PCI compliance requires passing a 12 point test and you must pass all 12 points or you fail compliance. According to Verizon’s “2011 Payment Card Industry Compliance Report,” only 21% of organizations met all 200 specific PCI requirements on the first application for validation.

There has never been a reported data breach where victim was in compliance at the time of the breach. However, compliance reviews are a snapshot and are required and varying intervals depending on the size of the organization. Data breaches occur when a company lets its guard down in some regard.

Given the consequences of a breach, a business should work to be compliant at all times, regardless of the review requirements.

Comodo offers 2 great services that provide PCI compliance scanning for your web site, HackerGuardian and Web Inspector.

HackerGuardian is an on-demand, vulnerability assessment scanning solution to enable merchants and service providers to achieve PCI scan compliance. After each scan, you receive a comprehensive vulnerability report detailing any security issues with remediation advice and advisories to help fix them.

Web Inspector provides the same PCI scanning and much more. It scans your site daily for malware and continuously monitors for other threats. Importantly, Web Inspector monitors blacklist sites that list compromised web sites. If you are listed, for any reason, on such a site search engines will block them. You lose customers because they can’t find your site.

With the number of threats on the internet growing each day, there two things that are certain.

Being PCI compliant once a quarter is great.

Being secure every day is essential.