According to the 2017 Verizon Report, 80% of organizations are still not compliant with PCI DSS (Payment Card Industry Data Security Standards) and only 29% of them are compliant one year after validation. With technology moving quickly, compliance solutions and policies implemented in the past years may not be enough to stand up to modern security threats. In addition, the companies from the Verizon Report who suffered breaches were not fully compliant.
Who is affected and what is at risk with PCI non-compliance?
- If there’s a breach, customers lose trust. Customers’ trust equals increased sales.
- After a breach, customers’ credit can suffer.
- Businesses can lose credibility and some will close as a result.
- Businesses who are not compliant with PCI DSS are subject to fines and penalties. Goanywhere.com states that fines can range from $5,000 to $100,000.
Therefore, businesses who accepts, processes, or stores credit card information are required to stay up do date with the Payment Card Industry Data Security Standards and the standards will continue to become updated with new mandates.
Where do cybercriminals access PCI data?
- Compromised card reader
- A tapped store’s network
- A hidden camera recording authentication data
- Payment system database
- Physical papers exposing PCI data in the store
Also, technology is always changing, for example look at the ability of one to accept payment from a contactless device such as a phone or a tablet. PCI Security Standards Council is in the process of developing a security standard for vendors using these types of transactions. As well, cybercriminals continue to become more advanced, so businesses will also have to step up their game in order to stay secure.
The PCI Security Standards Council shares some of the new requirements for the PCI DSS version 3.2:
- Management of service providers must establish responsibilities and a PCI DSS compliance program.
- Organizations must use multi-factor authentication.
- Service providers must perform quarterly reviews that may include audit logs, vulnerability scans and firewall reviews.
- Organizations must mask primary account #’s.
Still, compliance mandates continue to update keeping up with technology and the advanced skills of cybercriminals. For example, PCI DSS version 3.2.1. is out.
The 2017 Verizon Report states that, “Eighty percent of hacking attacks can be prevented by strengthening passwords and installing software patches. Specifically, software vendors issue patches to fix vulnerabilities and when businesses do not apply them hackers exploit the vulnerabilities to steal Payment Card Industry data.
Overall, to keep a creditable reputation, businesses need to think about information risks related to people, processes, and technology. Let TechGuard perform a procedure review and gap analysis to determine if your business is Payment Card Industry compliant. Fortunately, TechGuard provides services that are part of the mandated PCI DSS compliance.
Written by Michelle Stamps
Michelle has over 10 years of experience in marketing and business development across various industries including government and non-profit. Her background in writing, facilitating presentations and event planning allows her to use her creative skill-set and her relationship building skills strengthens her ability to understand the human element role in cybersecurity and to support positive behavior change. Whether she is out in the community, blogging or developing the next social post for TechGuard, she believes in telling the company’s story and uses relatable, real-life examples to connect with our clients. If you know Michelle outside of work, you would know that she loves sunny days and tropical places.