What You Need to Know About PCI DSS Compliance this Holiday Season
Protecting Santa’s Workshop…and Payment Card Data
In addition to facing a sophisticated and rapidly evolving cybersecurity landscape, enterprises must also adhere to legal regulations around data storage and security. Failure to comply with measures like the General Data Protection Regulation (GDPR) and the Payment Card Industry Data Security Standard (PCI DSS) leaves both companies and, more importantly, their customers at risk. With the busy holiday shopping season in full swing, and retailers experiencing dramatically higher transaction volumes, protecting customer information and payment data cannot be an afterthought.
What’s the deal with PCI DSS?
All major credit card companies – Visa, MasterCard, American Express, Discover and JCB – abide by a set of security standards to ensure protection of sensitive customer information, such as credit card numbers, during transactions. Any business that wants to conduct even a single retail transaction using credit cards must comply with PCI DSS or it will be unable to accept payments by credit card. If a company is just starting to accept credit card transactions – perhaps as an online retailer or a smaller business – then the first thing to understand is how payments are being processed and what data is being collected and stored. Once the type of data being collected is understood, then it is easier to identify what information is needed and what is not. This is a critical first step to understanding which requirements apply to a specific company.
As with many other compliance regulations, PCI DSS places the responsibility for compliance on the business conducting the transactions; meaning the retailer is responsible for both the compliance of its third-party payment service providers and internally-hosted systems.
Being PCI DSS compliant means that you are ensuring the safety of your customers’ valuable data, keeping it out of the hands of bad guys who would want to resell it or make fraudulent transactions. For companies struggling to ensure they meet the right level of compliance, start by reviewing the information available through the PCI Security Standards Council and kicking things off with the PCI 3-Step Process.
‘Tis the season
The holiday season is a busy time of year, but not just for shoppers and retailers – it’s also a prime time for hackers and cybercriminals to take advantage of unsuspecting victims. There are many different risks companies and customers may encounter, including fraudulent credit card transactions. Although chip technologies, PIN transactions and card-verification for online transactions are helping to curb fraudulent transactions, cybercriminals continue to devise new ways to score big during the holidays.
A second risk – and this is as much to a retail brand as it is to the customer – concerns fraudulent websites and advertisements. A successful tactic for criminals is to buy a soundalike domain name and use that to set up a fake web-store for a high-end and popular brand. Typically, these scams rely on people mistyping the name of a site to be found, but recently it’s not unusual to see cybercriminals creating fake social media accounts to advertise a sale or send phishing emails advertising huge deals. These tactics pose a substantial risk to retailers. Even though these scams are propagated by cybercriminals, victims who believe they have executed a valid purchase often blame the real retailer for the deceit. This year, the Federal Bureau of Investigation even issued a warning about these scams ahead of Black Friday and Cyber Monday.
Online and in-store transaction volumes experience a huge boost this time of year, so as early as possible, make sure that all your systems are up-to-date and running smoothly to reduce the risk of any outage, as well as potential damage from a breach. The sheer volume of online transactions will make it easier for cybercriminals to hide code inside a vulnerability or try a few quick password brute-force attacks while everyone is preoccupied with their shopping lists.
While no plan is never 100 percent foolproof, retailers need to start by covering these bases:
• Be PCI DSS compliant. Keeping systems secure and compliant with PCI DSS signals to customers that they can be confident all sensitive payment card information is protected and out of reach from malicious actors hoping to rack up fraudulent transactions using the funds of unsuspecting shoppers.
• Patch all systems with the latest available releases of software, malware signatures, policies and IPS/IDS updates.
• Activate multi-factor authentication and make sure it is working correctly for all systems, especially those that give access to any cardholder data. This is a requirement in PCI DSS, but the holiday period is a great chance for checking it once, then checking it twice.
• Have a team available during the holiday period to monitor and audit security logs on, at a minimum, a daily basis. We know that it takes around 200 days for many breaches to be detected; instating a higher amount of review during this critical time can significantly reduce detection and remediation time.
Failure to implement these basic cybersecurity hygiene practices will leave retailers vulnerable to damage and fines during a lucrative time for their businesses – and a celebratory time for their customers.