If you accept credit cards for payment in your business, then you are subject to the Payment Card Industry Data Security Standard or PCI-DSS. Up to now, this standard has really been more about compliance, but this year the Payment Card Industry is definitely focusing on real 24/7 365 security. The industry has been hit hard in the last two years by the BackOff POS exploits that have affected major retailers such as Target, Home Depot, and Staples, as well as hundreds of other businesses large and small.
Now is the time to get going with the system upgrades that are going to be required to meet the tougher standards of PCI-DSS 3.0. The new standards are going to be looking at five new areas of operation.
- Employee training and policy standards around passwords, especially the importance of changing defaults passwords on network devices, appliances, and software.
- More penetration testing is likely to be mandated for companies accepting credit cards. Audits that limited their focus to compliance will be delving more deeply into the actual security environment of the business.
- Vendor risk management will also become more important, since several major retail breaches started by breaking the less secure networks of smaller vendors.
- More devices will be covered under the new standard, as it will not matter whether card data is actually stored on the system. Current state of the art in POS malware utilizes a techniques called “memory scraping” where the card data is actually captured off the RAM chips in the POS system before it can be handed off to the operating system and software that would encrypt the data.
- Real security not just compliance will be emphasized, with the expectation that card payment systems will be properly secured at all times, and not just for the annual audit.
This will mean most retailers will really need to partner with a cybersecurity firm that can provide them with the employee training, information security policies and documentation, and vulnerability and penetration testing that the new standards are going to require.
More Info: PCI-DSS 3.0 Standards documentShare
About the Author:I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com