According to the 2017 Verizon Report, 80% of organizations are still not compliant with PCI DSS (Payment Card Industry Data Security Standards) and only 29% of them are compliant one year after validation. With technology moving quickly, compliance solutions and policies implemented in the past years may not be enough to stand up to modern security threats. In addition, the companies from the Verizon Report who suffered breaches were not fully compliant.
Who is affected and what is at risk with PCI non-compliance?
- If there’s a breach, customers lose trust. Customers’ trust equals increased sales.
- After a breach, customers’ credit can suffer.
- Businesses can lose credibility and some will close as a result.
- Businesses who are not compliant with PCI DSS are subject to fines and penalties. Goanywhere.com states that fines can range from $5,000 to $100,000.
Therefore, businesses who accepts, processes, or stores credit card information are required to stay up do date with the Payment Card Industry Data Security Standards and the standards will continue to become updated with new mandates.
Where do cybercriminals access PCI data?
- Compromised card reader
- A tapped store’s network
- A hidden camera recording authentication data
- Payment system database
- Physical papers exposing PCI data in the store
Also, technology is always changing, for example look at the ability of one to accept payment from a contactless device such as a phone or a tablet. PCI Security Standards Council is in the process of developing a security standard for vendors using these types of transactions. As well, cybercriminals continue to become more advanced, so businesses will also have to step up their game in order to stay secure.
The PCI Security Standards Council shares some of the new requirements for the PCI DSS version 3.2:
- Management of service providers must establish responsibilities and a PCI DSS compliance program.
- Organizations must use multi-factor authentication.
- Service providers must perform quarterly reviews that may include audit logs, vulnerability scans and firewall reviews.
- Organizations must mask primary account #’s.
Still, compliance mandates continue to update keeping up with technology and the advanced skills of cybercriminals. For example, PCI DSS version 3.2.1. is out.
The 2017 Verizon Report states that, “Eighty percent of hacking attacks can be prevented by strengthening passwords and installing software patches. Specifically, software vendors issue patches to fix vulnerabilities and when businesses do not apply them hackers exploit the vulnerabilities to steal Payment Card Industry data.
Overall, to keep a creditable reputation, businesses need to think about information risks related to people, processes, and technology. Let TechGuard perform a procedure review and gap analysis to determine if your business is Payment Card Industry compliant. Fortunately, TechGuard provides services that are part of the mandated PCI DSS compliance.