As breaches continue to happen, the adage of not if but when continues to ring true. The following 9 myths regarding PCI compliance are worth a review as many organizations allocate funds to cybersecurity spending.
Myth 1. PCI compliance is not worth our time as an organization.
As more and more organizations and even the tech industry itself moves toward a risk-based approach, the notion of annual reporting on cybersecurity and technology risk is not far off. PCI DSS requires organizations regularly test security processes and systems. Though this is a challenge, PCI compliance audits may help organizations as they make decisions regarding technology and risk.
Areas to address include:
- Network Security: Non-firewalled connections are a risk, and restrict access to only those who need access.
- Data Storage: this is always a vulnerability when data is stored. Keep data retention to a minimum.
- Application Security: Does one application provide access to every application? if so, revisit this practice.
- System Access: Limit access and track access by regularly changing credentials and logins.
- Authentication: Requiring two-factor authentication is not just an option anymore.
- Tracking Changes: Maintain logs of every change to confirm sensitive transaction data is secure
- Privileges: Have admin privileges been changed or was a new user created?
Myth 2. PCI compliance is not continuous.
The mindset of security beyond compliance is one that many businesses struggle with, however, the struggle does not need to exist with PCI compliance. Requirements 10.5.5 and 11.5 require the use of file integrity monitoring software to help ensure log data cannot be changed without generating alerts.
The PCI security standards council discusses the three-part process needed to ensure continuous PCI compliance.
- Continual Assessment
- Immediate Remediation
- Regular Reporting
With continual assessment, this year-round, ongoing assessment helps to ensure an IT environment is secure, and the risk of suffering a data breach is mitigated. immediate remediation is simply addressing and fixing the non-compliance concerns as they arise. Many organizations are choosing to implement monthly or quarterly reporting in all cybersecurity areas, not just focusing on those within the compliance perspective.
With the 2018 addition of PCI requirement 12.11, service providers now have to perform quarterly reviews ensuring personnel are following proper security policies and operating procedures. many organisations are simply choosing to implement a quarterly review as well.
Myth 3. PCI compliance is difficult to achieve.
Though there are challenges when implementing and maintaining any compliance requirement, if the processes are put into place from the beginning, achieving PCI compliance doesn't have to be a chore.
As previously mentioned, human error is the single greatest point of failure regarding information security risks. Ensuring a policy is put in place doesn't have to be daunting.
- Review and document where data is stored
- Test security policies
- Use the right software
- Conduct quarterly reports
- Complete SAQ(if needed)
Myth 4. PCI compliance equals data security, so our data is secure.
Just as PCI requirements evolve, data security is evolving at a rapid pace. If your data security policy is not in place, most likely PCI compliance will not be in place as well. The three areas to review when reviewing PCI compliance policies include; process or policy, people or staff, and software.
Subject to change at any moment, PCI compliance should be viewed as temporary, and many organizations have learned the hard way, either via a breach or system compromise.
Myth 5. PCI compliance is outsourced so it does not concern our internal organization.
Though outsourcing of maintaining PCI compliance is common, what cannot be outsourced is the responsibility.
Many organizations do not realize they still need to have measures in place so potential risk and security issues still exist. As noted by SecurityIntelligence, outsourcing does not "provide automatic compliance" further commenting that "if vendors mishandle returns and expose credit data, retailers are on the hook".
Myth 6. PCI compliance software is not worth the costs.
Non-compliance fees can be costly, and monthly penalties can add up quickly. There are many factors organizations need to consider when evaluating P{CI compliance costs.
- Physical environment
- Business type
- Number of employees
- Senior Leadership
- In-house PCI knowledge
- Hardware
- PCI fees
- QSA
Though the compliance level can help with predicting compliance costs, the above factors can vary the costs significantly. As previously noted, for many smaller businesses and organizations that process fewer than 20,0000 transactions, the costs can average around $10,000 or below.
When looking at PCI software, there are 4 key features organizations can look for:
- Proactive Change management
- What was changed
- Who made the change
- Where the change was made
- When the change took place
- Auditing Capabilities
- A complete audit trail is needed for PCI compliance
- Integrated Ticketing
- Look for a solution that can differentiate good change from bad
- Automatic Vendor Change Identification
- The ability to eliminate false positives saves time and resources
- Look for a cloud-based service that automatically identifies changes due to patches and updates
7. PCI compliance does not apply to us because our organization is small.
Though many organizations may not believe there is a "worth", or dollar value attributed to PCI compliance, this belief is not always founded. As noted in a recent post about 3.2.1, there are no exemptions based on the size of the organization.
Regardless of size, organizations should want to be compliant, as it is not only applicable but is also a requirement, regardless of size.
Myth 8. PCI compliance does not apply to our brick-and-mortar location, and we only have POS devices.
A previous study reported, that 91 percent of retailers were not compliant with PCI DSS during a six-month review. Though many businesses may not realize it, point of sale(POS) systems require file integrity monitoring as they are directly involved with the processing of credit cards. Changes to the OS and applications on POS systems can cause system downtime and in worse-case scenarios, a breach of credit card data.
Though the thinking behind keeping an infrastructure safe and secure is valid, securing a POS system can at times seem a "hard sell" from a budgeting perspective as the ROI on POS systems are non-existent.
Myth 9. We've never had an issue, so PCI compliance is not a big deal.
As previously stated, it is not a matter of if but when. The latest from Symantec reports web attacks are on the rise, and with employees being one of the largest security risks, or "issues, compliance should be a big deal.
Financial Costs after a data breach can include:
- Merchant processor compromise fines: $5,000 – $50,000
- Forensic investigation: $12,000 – $100,000+
- Onsite QSA assessments following the breach: $20,000 – $100,000
- Free credit monitoring for affected individuals: $10-$30/card
- Card re-issuance penalties: $3 – $10 per card
- Breach notification costs: $2,000 – $5,000+
- Technology repairs: $2,000 - $10,000+
- Increase in monthly card processing fees
- Legal fees
- Civil judgments
Ways to improve PCI-DSS compliance efforts can include:
- Education of your employees/people
- Placing responsibilities on the right individuals
- Enforce Unique User IDs
- Invest in the right tools
It is also worthy to note that Symantec's latest data on user name usage still lists the most common user names used in attacks including "admin", "root", and "default", while "123456", [BLANK], and "admin" were the top three passwords.
PCI compliance doesn't have to be a challenge. Not sure where to begin? Download the 2019 PCI Checklist to review PCI DSS 3.2.1 requirements today.
Tags:
June 13, 2019