3 Basic Ways to Avoid PCI Paralysis

Combat security threats while achieving PCI compliance.

Social engineering attacks are increasingly prevalent. The defeatist belief that the hackers have won, and any business can be breached—or already has been—can paralyze small and large businesses alike. The truth is, well-known breach studies have shown that the vast majority of attacks would have failed had the most basic defenses been put in place.

These defenses can be scaled to both the size and budget of the organization, leaving no logical reason to avoid taking action steps to combat the threats. If you’re looking at Payment Card Industry (PCI) compliance and not knowing where to start, here are 3 ways you can avoid falling into the paralysis of doing nothing at all.

1) Create a culture of awareness and educate employees on a continuous basis.

This is a no-cost solution that is also critical to the business’s security well-being. Larger companies and non-profit organizations like hospitals and colleges should consider investing in social engineering projects that locate gaps in employees’ security awareness.

Many experts predict that social engineering attacks will only increase in the future. It’s crucial that each employee understands the role they play in the business’s data chain. Each person who interacts with sensitive data or the systems that handle it must be educated on the common tactics hackers use to steal information. Check out ControlScan’s webinar replay on social engineering, “Social Engineering: Hacking into the Human Mind.”

2) Designate a PCI champion.

Even if your business doesn’t have a dedicated IT group, it will benefit from someone being formally assigned the role of understanding and monitoring basic security functions. This assignment carries with it the responsibility to keep business systems current with the latest patches and updates, as well as to consider the security impacts of website and physical POS changes.

3) Avoid storing payment information whenever and wherever possible.

Whether accepting customer payments over the phone, by fax, in person or online, it is always a best practice to immediately process that information and purge any remnants such as paper copies. Businesses that store payment information, either in hardcopy or electronic form, are putting themselves at a much more significant risk for breach. Encryption and tokenization solutions should also be employed to maintain the security of data in motion and at rest.

My mantra is Start Somewhere! Many breaches are preventable; they still tend to be unsophisticated and can be repelled with strong, basic defenses. Start with vulnerability scanning but think about adding network penetration testing as soon as possible. If you have developed Web applications, this is even more critical.

Commitment to people, processes and technology.

The bottom line is that the PCI Security Standards Council (SSC) can and does work for those who view it as an opportunity to protect their business assets from data thieves. In fact, he PCI SSC has introduced two new requirements in PCI Data Security Standard (DSS) v4.0 to help detect and protect businesses and their personnel from phishing and social engineering attacks (5.4.1 and 12.6.3.1). The key is to view it from a daily process basis with security as the primary focus. PCI compliance shouldn’t be viewed as a burden, but rather a natural extension of the business’s daily commitment to people, processes and technology.

Looking for expert guidance?

Prepare for the worst yes but get some peace of mind by knowing you are doing all you can, within your power and available resources. Contact us to learn more about how VikingCloud can help.