If your business accepts credit cards for payment, then your a subject to the regulations of the Payment Card Industry. This is known as PCI-DSS Compliance. PCI compliance company Security Metrics recently released an infographic that shows the main compliance failures that lead to credit card breaches in 2017. Here are some of the startling take-aways:
- Businesses that took credit cards had one or more exploitable security vulnerabilities for over 4 years.
- Credit card data at breached companies was captured and exfiltrated for an average of nine months.
- 45% of companies were breached through insecure remote access technologies, such as RDP.
- 21% of companies were breached through the use of malicious software programs, delivered often through phishing or spearphishing emails, or watering hole exploits.
- 39% of companies were breached using memory-scraping software of the type used against Target, Neiman Marcus, Home Depot and many others. This indicates that the breached companies failed to apply all security updates or use up-to-date anti-malware programs on their point of sales systems.
- 97% of companies were breached even though they had firewalls in place.
- 15% of firewalls did not meet PCI compliance requirements, many because they were too old and out-of-date.
Recent changes to PCI Compliance hold the business or retailer accepting credit cards responsible for financial losses due to a breach. This means that you could be on the hook for the monetary value of fraudulent purchases made with the credit card numbers lost by your company, unless you can show that you are fully compliant. This means more than just answering “yes” to the questions on your last SAQ, you need to demonstrate that you are actively meeting the standards laid out in the questionnaire. If you don’t understand the technical requirements, you may need the help of an outside cybersecurity firm.
- PCI-DSS v3.2 Self Assessment Questionaire Instructions and Guidlines
- Security Metrics infographic
- Tech Target – watering hole exploits