Payment Card Security

Payment Card Security Revisited

Payment Card SecurityNearly half of all data breaches are aimed at small businesses and occur through the acceptance of credit cards. Last year we posted a blog on this topic and want to update it in light of the Verizon 2018 Payment Security Report (you have to give your name, email, and company in order to download it); here’s an executive summary of the report. Some of what follows is a repeat of the prior blog which, from the Verizon report, was not taken too seriously by many businesses.

Trends in payment security

The Payment Card Industry Data Security Standard (PCI DSS) helps businesses that offer card payment facilities protect their payment systems from breaches and theft of cardholder data. The Verizon report found that for the first time in 6 years, payment security compliance was down. In 2018, only half (49%) of organizations worldwide are leveraging PCI DSS compliance efforts to meet other security requirements.

Compliance protocols

All organizations, including payment service providers, merchant processors, online merchants, and face-to-face merchants, that store, process, or transmit payment card data are mandated by VISA, MasterCard, Discover, American Express, and other payment brands to comply with PCI DSS Standards. These are standards created by the PCI Security Standards Council, which was founded in 2006 by American Express, Discover, JCB International, MasterCard, and Visa.

There are 12 key requirements to being secure (some are technical while others are basic business practices):

Goals PCI DSS Requirements
Build and maintain a secure network and systems 1.      Install and maintain a firewall configuration to protect cardholder data

2.      Do not use vendor-supplied defaults for system passwords and other security parameters

Protect cardholder data 3.      Protect stored cardholder data

4.      Encrypt transmission of cardholder data across open, public networks

Maintain a vulnerability management program 5.      Protect all systems against malware and regularly update anti-virus software or programs

6.      Develop and maintain secure systems and applications

Implement strong access control measures 7.      Restrict access to cardholder data by business need to know

8.      Identify and authenticate access to system components

9.      Restrict physical access to cardholder data

Regularly monitor and test networks 10.  Track and monitor all access to network resources and cardholder data

11.  Regularly test security system and processes

Maintain and information security policy 12.  Maintain a policy that addresses information security for all personnel.

Source: PCI Security Council

How to become compliant

According to the Verizon report, only 40% measure their PCI compliance annually for compliance validation purposes. Less than a quarter (19%) measure and report their PCI DSS compliance monthly. If you are concerned about payment card security for your business, review your current security measures.

  • Understand the 9 factors of control effectiveness and sustainability. These factors were developed by Verizon to help meet the 12 key requirements discussed earlier:
    1. Control environment
    2. Control design
    3. Control risk
    4. Control robustness
    5. Control resilience
    6. Control lifecycle management
    7. Performance management
    8. Maturity measurement
    9. Self-assessment
  • Do a self-assessment of your cardholder data using PCI’s Self-Assessment Questionnaire.
  • Talk with your IT person. Hopefully, the person is versed in PCI DSS. If not, they should be able to refer you to someone who is. As an aside, my IT person told me that it’s easier for small businesses to be compliant because the tech stuff is easy to handle and the non-tech stuff (e.g., limiting personnel who can access computers) is better controlled in small companies.
  • Work with your credit card processor. Your bank or other credit card processor is your active partner on PSI DSS compliance, and should be an excellent resource to assist you in becoming and maintaining compliance.
  • Work with a national PCI DSS expert. Once this expert certifies that you’re compliant, the costs of dealing with a data breach will be far less than if you were noncompliant.

Conclusion

Consider carrying cyber liability coverage for protection, but be sure to check whether data breaches are explicitly covered. Learn about PSI DSS compliance with this helpful guide.

2 comments

Leave a reply

Open
Close

Big Ideas for Small Business®
Find it for free on the App Store.
Get