In 2011, 89% of organizations with payment card data loss were not Payment Card Industry Data Security Standard compliant at the time of the security breach. These types of breaches can lead to monetary loss for the customer and for a company; in the case of the former, there is also the possibility of reputation loss – which may be a far worse and lasting negative effect.
The first tip for avoiding costly PCI Compliance violations (in the above piece) is familiarization with the requirements themselves. With the complexity and severity of security breaches always growing, it is crucial to know and understand the security standards required to store, transmit or process payment cardholder data. While the 75 page PCI DSS “Requirements and Security Assessment Procedures” document may be somewhat daunting in its requests and exhaustive calls for implementation, it can be simplified to:
- Build and Maintain a Secure Network
- Protect Cardholder Data
- Maintain a Vulnerability Management Program
- Implement Strong Access Control Measures
- Regularly Monitor and Test Networks
- Maintain an Information Security Policy
When you break down these main categories, there are 12 provisions to achieve PCI DSS compliance. Not only are these requisite provisions for PCI Compliance, but they are a great template for security for any type of business.
A while back we posted the following PCI quick tips, which are still applicable:
- Encrypt cardholder data.
- Use products that are approved for the PCI standard.
- Understand the concept of compensating controls.
- Organize PCI compliance as an on-going, cross-functional project–not as a one-time event.
- Understand your cardholder information business process from end to end.
- Take the time to read and understand the PCI Data Security Standard.
- Store unnecessary cardholder data beyond receiving the authorization code.
- Be lulled into thinking that you would not be a target for criminals.
- Try to create your own crypto solutions.
- Assume your vendor is protecting you.
Through all the preparation and planning, let’s not forget that PCI DSS does not make a company immune from attack. It can and does still happen – after all, a determined hacker can bypass any security. This is why PCI DSS Compliance, and security as a whole, must be treated as an ongoing processes with a time investment in-line with how much your company values staying in business.
No Comments »