PCI Compliance: What Is It Good For?
Data theft is everywhere these days. If you’re not managing and securing your confidential or private information, it may eventually undermine all the hard work you’ve spent improving customer experiences and driving growth. It’s not just strong passwords that are required; there are a magnitude of procedures that can be implement to protect your business.
One of the most popular and fundamental protocols you can follow is the Payment Card Industry Data Security Standard (PCI DSS). It is required by all organizations that handle branded credit cards from the major card companies, including Visa, MasterCard, American Express, Discover, and JCB. The standard was created primarily to increase controls around cardholder data and reduce credit card fraud.
I know what you’re thinking: “What if my business doesn’t handle customer credit card data?” There’s still plenty of reasons why you should be PCI Compliant. Just by judging the volume and scale of data breaches in the last 12 months, it is clear that the current techniques most businesses practice are not stopping attackers. Your overall security approach shouldn’t therefore rely on preventative measures alone. While firewalls and access controls are a valuable baseline of defense for any organization, it’s vital to look also at detecting any successful attacks as early as possible, mitigating damage, and identifying residual risk.
As noted in the Verizon 2015 PCI Compliance Report, in all of the payment breaches investigated over the last 10 years, not a single organization was fully compliant with PCI DSS at the time of the breach. For example, within Home Depot’s flawed security system which allowed customer information to be stolen for months, they were using an outdated Symantec antivirus software from 2007, not continuously monitoring the network for suspicious behavior, and performing vulnerability scans at only a small number of stores. This shouldn’t have ever happened and could have been completely avoided.
STEP 1: Get Compliant
For an overall look of what is required to be considered PCI Compliant, take a look at this Reference Guide released by the PCI Security Standards Council.
Not being properly prepared when it comes time for PCI validation creates additional cost and effort. 80% of organizations failed their initial PCI compliance in 2015, don’t be one of them!
STEP 2: Stay Compliant
Maintaining the DSS principles requires making risk management more than a once-a-year exercise. Constant monitoring of servers and workstations is required to detect and prevent the early onsets of an attack. Be forewarned, traditional signature-based anti-virus scanners are largely reactive and not sufficiently effective to counter new and emerging threats, such as zero-day and social-engineering attacks. Therefore, organizations should use more sophisticated technologies that include proactive behavior detection, sandboxing, whitelisting, application control, cloud-enabled threat intelligence, heuristics, and reputation analysis. Without these measures, nearly 75% of organizations in 2015 fell out of compliance less than a year after being assessed for compliancy.
STEP 3: Move Beyond Compliance
Investing in additional capabilities, if a breach does occur, will let you respond quickly and help you mitigate the damage. It’s always recommended to employ a backup solution that captures real-time snapshots of your systems, as this will allow you to quickly and easily rollback to a state before the breach. Two-factor Authentication is also a great and simple step towards preventing unauthorized access, as it requires the attacker to have physical access to your phone or device.
Feeling overwhelmed or looking for more information? Contact ZBx Technology today and we can help protect your network and systems from these common threats. We’ll provide the ongoing maintenance and support your business needs to stay operational. Call us at 616-594-7100 or email firstname.lastname@example.org to start discussing plans and options available for your organization.