The Risk Of PCI Data Breaches
PCI DSS compliance has been in effect for over a decade, and despite that, people are still experiencing PCI breaches. Some of the world’s largest companies are still being hit by data breaches. For example, over 5 million credit card numbers were stolen in the year of 2018 due to two significant retailer hacks. Many smaller companies are regularly breaching PCI DSS compliance without even knowing it, could you confidently state you have never had a PCI breach?
There are some specific pitfalls that businesses run into when it comes to maintaining compliance. Addressing those pitfalls can be quintessential to maintaining the utmost security across the board. Many people feel that securing their phone network is all that is required, unfortunately it is not this simple. In fact there are 100’s of pages of standards that need to be met. Below we outline just some of the common failures in PCI DSS compliance.
Failing to Patch Systems Regularly
We are guilty of this in our personal lives, as well as our business lives. How often have you received an update on your computer and delayed it until the next day, and then the next day? Running patches and updates can be essential to fixing holes within the system which can be taken advantage of.
PCI DSS requirement 6 outlines the requirement to patch systems on a regular basis. Specifically, it states that any critical patches affecting security must be installed within a month of their release, although obviously in this case sooner is always better.
The reason companies do not patch their systems promptly is due to the level of disruption it can cause. Even larger companies with well-established protocols in place can fall behind in this regard.
The key to resolving this pitfall is to firstly have an active approach to identifying unpatched systems and applications. Applying a regular schedule to check for vulnerabilities can help here. Then, set a process in place where patches can be applied with the least disruption possible (for example, out of hours, or at the weekend).
Failing to Review Audit Logs
PCI DSS requirement 10 discusses the implementation of log monitoring. However, many will ignore these logs, and of course ignoring them makes them worthless. Daily reviews of these logs is essential in discovering errors and any issues which may signify or lead to a threat before any significant damage occurs.
On average, studies have shown that it takes a company 206 days to detect a data breach. If companies were regularly reviewing logs on a daily basis, these breaches would be found within hours. An effective log monitoring process can really be a life or death outcome for a business.
Failing to Audit Access Data
SecurityMetrics reported that insecure remote access was the largest single cause of compromise in more than 39% of investigated security breaches. PCI DSS requirement 8 discusses the requirement to secure access to cardholder data, with specific requirements for two-factor authentication for any remote access.
There are many companies that have indeed implemented two-factor authentication, but a pitfall here is that many are failing to audit the access process in order to verify that the controls are working as expected. Two-factor authentication isn’t a beneficial safety net if it isn’t working as planned. Regular audits of this should occur in order to make sure it is still working the same way as had been originally planned.
The scheduling of periodic audits against controls is an effective way of continued fluidity of security.
Addressing Compliance Only During an Annual Audit
Many companies are guilty of this, even outside the security realm. Whether it be only trying to tidy up your finances close to the year-end audit, or even in our personal lives, only tidying the house when visitors are coming.
The reality is that PCI DSS compliance is highly impacted by deadlines. This can often lead to the IT teams of companies only taking part in effective monitoring when these deadlines occur, such as annual audits or routine assessments. The problem with this approach is that the company can find that when they do not have their eye on the ball is when they are at their weakest, and most likely to experience a breach.
The process of maintaining rigid security and compliance work should be a consistent one, and not one which picks up close to assessments. Consistent security and compliance is more readily achieved when it becomes embedded as a standard practice within the company.
Failing to Change Default Passwords
This shouldn’t surprise you, but failing to change the default password on any system provided by a vendor is a surefire way to keep your door wide open to any cyber criminals who may be looking to steal credit card data. Especially in this modern era where criminals can go through hundreds of thousands, if not millions, of common passwords in a matter of minutes using automation, the risk of using commonly used or default passwords is at an all-time high.
Not only should you change any default passwords, but make sure you change it to something unique.
Failing to Shut Down Remote Access
There are many third-party vendors which may require remote access to your system for a variety of reasons. Whether that be updating your systems for you or helping you with IT solutions. The issue arises when the access isn’t fully shut down, leaving a potentially large hole in your network which can be taken advantage of.
Implementing automated processes to terminate any third-party access when it is no longer needed is a key process to apply, as well as constantly monitoring any third-party access, which can trigger alerts when any activity occurs outside the normal realm of business. If you are allowing a third-party to have remote access, then it can be wise to understand their process for shutting down the access on their end as well.
It should always be kept in mind that compliance is a journey rather than a destination. Nobody ‘completes’ compliance. It is a constantly evolving process that often requires adaptation, consistent and rigorous application. When it comes to the security of taking payments, a good option can be to work with a company which focuses on absolute compliance with the PCI DSS for your card payments. PayGuard® is a simple and secure payment provider which allows your business to take card payments as well as remain compliant over the phone.
Applying continuous due diligence and an attitude of consistent improvement will lead to the avoidance of breaches in your PCI DSS compliance. Monitoring your security platforms can often be just as effective as having security platforms in place to begin with. This way, your team is keeping things under control, rather than having to put out fires when they occur, helping them to meet all the complexities of a changing compliance environment over time.
Want To Know More
We are friendly people and experts in payments, so feel free to get in touch and have a no obligation chat about your situation.