PCI DSS Compliance: Failure is Not an Option

August 15, 2013 | By Kevin Judge

PCI ComplianceThere is an epidemic of identity theft and financial fraud hat is costing businesses and consumers millions of dollars per year. Most of these incidents are the result of data breaches that compromised credit and debit card data. The cost of dealing with a data breach is bad enough, but the damage to your reputation with your customers and suppliers as a trust worthy business is incalculable.

Business in the internet age is more about trust than ever before. The entire system of card payments is dependent on card holders trusting the merchant with their card data. A loss of trust can be fatal to a business

The Payment Card Industry (PCI) Data Security Standards (DSS) are intended to ensure the integrity and security of credit card data used in transactions. The card payment services require merchants to comply with these standards, Failure to comply can result in large incident fines and even the suspension of the ability to accept cards.

Given the criticality of compliance, it is remarkable that Point of Sale (POS) systems are involved in the most data breaches and that most of those breaches could have been avoided by the most basis security measures, firewalls and antivirus protection

Those were among the finding of the last 2 annual Data Breech Analysis Reports by Verizon. As the threats to internet security grow and become well known, it is hard to believe that a business would fail to do the very basics required, but that is too often the case.

I suspect that many small and midsize businesses that can’t afford a large IT staff of their own still view POS systems as high tech cash registers and not networked computers, which of course they are. A retail POS system needs a personal firewall and antivirus scanner on it just the same as any other computer you hook up to your network.

Many also assume that because they use SSL they are also safe. SSL provides a critical layer of protection during interaction with customers. However, it does not protect the site’s network from attack and infection. SSL will prevent a hacker from intercepting data provided by the customer but does not prevent a hacker from infecting a web page so the customer downloads malware.

A common misconception among e-Business’ is they assume their web host will take care of all security. They don’t realize that for performance reasons web hosts do not do the type of antivirus scanning that we do on network computers. It is really up to the site owner to make sure their pages are safe, not just for compliance but to protect their customers.

PCI compliance requires passing a 12 point test and you must pass all 12 points or you fail compliance. According to Verizon’s “2011 Payment Card Industry Compliance Report,” only 21% of organizations met all 200 specific PCI requirements on the first application for validation.

There has never been a reported data breach where victim was in compliance at the time of the breach. However, compliance reviews are a snapshot and are required and varying intervals depending on the size of the organization. Data breaches occur when a company lets its guard down in some regard.

Given the consequences of a breach, a business should work to be compliant at all times, regardless of the review requirements.

Comodo offers 2 great services that provide PCI compliance scanning for your web site, HackerGuardian and Web Inspector.

HackerGuardian is an on-demand, vulnerability assessment scanning solution to enable merchants and service providers to achieve PCI scan compliance. After each scan, you receive a comprehensive vulnerability report detailing any security issues with remediation advice and advisories to help fix them.

Web Inspector provides the same PCI scanning and much more. It scans your site daily for malware and continuously monitors for other threats. Importantly, Web Inspector monitors blacklist sites that list compromised web sites. If you are listed, for any reason, on such a site search engines will block them. You lose customers because they can’t find your site.

With the number of threats on the internet growing each day, there two things that are certain.

Being PCI compliant once a quarter is great.

Being secure every day is essential.

Be Sociable, Share!

    Comments

    Willam T. Gates January 2, 2014 at 6:02 pm

    With all the PCI compliance issues why do continue to have TJ Maxx, Marshall Stores, Wal-Mart, Walgreen, KMart and now Target Stores PCI problems. It appears that PCI Compliance tests are a complete failure, even for the largest retailers….. Now what is the next bright idea?

    Reply
      Kevin Judge January 6, 2014 at 3:43 pm

      First, I would not characterize PCI Compliance testing as a complete failure.
      Flawed standards are better than no standards at all.

      Second, we need to move to a model of continuous monitoring as oppose to the current snapshot approach.

      Reply
    Anonymous March 3, 2015 at 4:49 pm

    I can see needing to raise awareness of security, but to have “200 specific PCI requirements” is insane. Also, most of these so called places to ensure you have compliance want way to much money that a smaller business simply can not afford. This method just ensures larger corporations put smaller businesses out of business. I mean, they can afford the fees, but “Jennie’s Bath And Body (<– I made this name up)" store can't because she's a small store that has a few employees. So once again, it's the larger companies are ensuring that smaller companies won't survive. Then, we have them shoving huge fines against a smaller company that can amount in the thousands, all these items will surely put them out of business. It's win win for larger corporations.

    Last time I checked, I don't recall any hefty fines being issued against larger retailers, but I did hear about a fine against a small retailer. It's like the large retailed, who give the credit card companies the most business, are exempt from those fines. Did Target or Home Depot receive a finer for their breaches. No. Yes, they are being sued by customers, but still aren't Visa, MasterCard, etc. supposed to be fining them? I haven't heard a single statement in the news about them ever being fined for them breaches.

    Reply

    Add new comment

    Your name
    Comment

    You may use these HTML tags and attributes: <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>