PCI DATA SECURITY STANDARDS: BEYOND COMPLIANCE

November 26, 2013 | By Kevin Judge

There is an epidemic of identity theft that is costing businesses and consumers millions of dollars per year. Most of these incidents are the result of data breaches that compromised credit and debit card data. The cost of dealing with the data breach is bad enough, but the damage to your reputation with your customers and suppliers as a trust worthy business is incalculable. Business in the internet age is more about trust than ever before. A loss of trust can be fatal to a business.

If you are business that accepts cards you know how important it is to your business. An e-commerce business can’t survive without accepting cards. You also know that the card companies require you to meet the Payment Card Industry (PCI) Data Security Standards (DSS).

Failure to comply can result in large incident fines and even the suspension of the ability to accept cards. Given the criticality of compliance, it is remarkable that Point of Sale (POS) systems are involved in the most data breaches and that most of those breaches could have been avoided by the most security measures, firewalls and antivirus protection

Those were among the finding of the last 2 annual Data Breech Analysis Reports issued by Verizon. As the threats to internet security grow and become well known, it is hard to believe that a business would fail to do the very basics required, but that is too often the case.

I suspect that many small and midsize businesses, that can’t afford a large IT staff of their own, simply still view POS systems as high tech cash registers and not networked computers, which they are. A retail POS system should have a personal firewall and antivirus scanner on it just the same any computer you hook up to your network.

I also think that they assume their web host will take care of all security. They don’t realize that for performance reasons web hosts do not do the type of antivirus scanning that we do on network computers.

There are services provided by internet security companies that will scan your site for vulnerabilities and PCI compliance. They can identify malware infections that can harm your customers and cause your site to be added to a blacklist of sites blocked by search engines. If such issues identified, they will provide guidance on how to address them.

Keep in mind that PCI compliance requires passing a 12 point test and you must pass all 12 points or you fail compliance. There has never been a reported data breach where victim was in compliance at the time of the breach. However, compliance reviews are a snapshot and are required and varying intervals depending on the size of the organization. Data breaches occur when a company lets its guard down in some regard.

Given the consequences of a breach, a business should work to be compliant at all times, regardless of the review requirements.

Be Sociable, Share!

    Add new comment

    Your name
    Comment

    You may use these HTML tags and attributes: <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>