With the news of the security breach of Target's POS system and servers, as well as the ensuing investigation that found the malware used was linked to several other attacks last year, many people may be asking what is being done to prevent these attacks from happening. This inevitably turns all eyes on the Payment Card Industry Security Standards Council (PCI SSC) and the new security standards (PCI DSS v3.0) which were released in November 2013.
A recent article from Nerd Wallet took this idea and ran with it by examining the latest version of the report and seeing what the main points retailers need to be on the lookout for. Since the regulations are brand new and do not take effect until the new year, which was after the Target breach was uncovered, some of these requirements were not in place.
There are several new rules and regulations that are front and center now. First off, there are some clarifications that need to be made. These affect all companies that store, transmit or process data. In today's world, more than just credit card data needs to be protected. All information including checking, banking, employee, patient, intellectual property, customer lists and more can be vulnerable. These businesses need to document and implement firewalls and router standards, change default passwords for all systems and perform regular assessments to validate PCI compliance at any point in time.
Once these are out of the way there are several new regulations that play into this. They include:
- Maintaining an updated network diagram including cardholder data flow
- Keep an inventory of system components needed for PCI DSS security
- Evaluate all malware threats
- Ensure anti-virus solutions are active and cannot be disabled by unauthorized users
- Consolidate authentication mechanisms — security cards, tokens and passwords — into a single location, limiting access to intended users
- Control physical access to sensitive areas
- Create or include changes to identification and authentication mechanisms, changed to audit logs, inventory of wireless access points
- Test methods for keeping sensitive information separate from other networks
There are other regulations on the books, but they do not go into effect until June 2015 and are subject to change in the year before that. These include protections against tampering with physical card readers, testing penetration capabilities of a network attack and making sure third-party service providers understand PCI coding practices.
While there are a lot of rules to consider, they are necessary to keep all card information secure.
"It's really important for merchants to instill trust in their customers by keeping sensitive customer information safe, so that customers want to return again and again," the article reads. "That's one reason for merchants to follow these rules and to choose trustworthy third-party service providers."
It is difficult to say that if a business was to implement all of these regulations and stay on top of them, that they would remain safe from all potential security threats. The truth is that criminals are smart and evolving their methods. However, following PCI compliance regulations are the first step toward helping businesses be successful.
Remaining PCI compliant is a challenge, as the standards are always changing. There is a good chance that a future upgrade to the code will include EMV standards on page one, as the security potential of the system is touted by experts in the wake of these breaches.
So the question becomes, is your business completely PCI compliant and, if not, or you don't know, who are you turning to for help?