Does your university or college accept credit or debit card payments? Of course. But are you looking after that payment card data securely enough? Matt Ball, chair of PCI DSS SIG, outlines nine key areas that every security team needs to consider.
Compared to other forms of personal data, payment card data is among the most attractive for criminals to exploit and the high demand for it is resulting in ever more security breaches.
Ticketmaster and British Airways are just two of the high-profile companies who have suffered card breaches so far this year, which is concerning if you or your staff have booked tickets online for an event or flight recently.
The financial and reputational cost to companies that fail to protect their customers’ card data can be immense.
Payment security - the essential need
Payment card data security is an essential business activity your organisation is expected to maintain at all times.
It is your responsibility to proactively protect the cardholder data supplied to you by your customers while it is in your possession and being used for your business needs. Through preventing cardholder data and associated personal data being compromised at source, you prevent the cardholder data you have collected being used fraudulently.
The payment card industry data security standard (PCI DSS) is the standard you must adhere to when protecting payment card data. Compliance with the standard demonstrates that the minimum level of data security for protecting card data is in place and is being maintained by the merchant.
Reporting PCI DSS compliance is annual activity used by the acquirer to validate that payment security is in operation that meets or exceeds the PCI DSS standard. Although PCI DSS is focused on card data, PCI DSS principles have wider application for all types of personal data.
1. Be vigilant at all times
Hackers exploit weakness and failures, be they technical, process or people based.
Unexpected, untested or uncontrolled change (either internal or externally driven) can present an exploitable weakness. In most cases the hacker may be in your system for weeks or months after weakness has been exploited and before discovery.
2. Value your staff
People can be the best defence when properly trained, guided and supported by defined policy and procedure.
95% of breaches can be attributed directly or indirectly to human actions. Embedding a security culture into the organisation to support and equip all staff with the essential skills to manage card data within their business area is key to maintaining compliance with PCI DSS.
3. Understand your payment environment
Do you know where the payment data is? Where it comes from, where it goes? Why you have it?
It is essential that all attributes of the payment environment are identified when card data is collected, handled, transmitted, stored. The people, locations, technology and the relationships between them should be defined and documented.
4. Continually refine process and practices
Implementing PCI DSS will identify bad practices ranging from passwords being shared to card data being written down as well as identifying processes that no longer apply but are blindly followed because “we’ve always done it that way”.
Prepare to continually evolve business processes to meet the ever changing data security needs of the business and embed it as part of the training.
5. Maintain policies
Clearly defined usable polices help underpin the security practices, support staff and limit uncontrolled expansion of the card payment environment.
Use policies to define what is acceptable as well as what is not. Ensure they are publicised, acknowledged and understood.
6. Ownership and accountability
Without a business owner for the different technologies, processes and payment channels, you run the risk of a breach because of a long forgotten or unmanaged process or system not being patched, updated or changed in line with the rest of the payment environment.
7. Don't scrimp on the testing
Testing is essential and will pick up flaws, faults and shortfalls in understanding processes and configuration.
Expand testing beyond deployment and use it to support auditing activities to ensure your payment environment is operating securely, meeting or exceeding the PCI DSS standards.
Ambiguous communication or breakdowns in communication have been major contributors in data breaches not being contained.
Never assume someone else has reported or is dealing with a suspected issue. Avoid relying on email when swift action is required: talk to those who need to be involved
9. Have a plan
Incidents happen, they can be unexpected and without a prepared incident response plan to manage them, the fallout can be widespread and damaging to the organisation.
Ensure your plan is tested, up to date and capable of supporting the incident resolution.
Successful secure card payment operations are driven by people operating with robust processes and backed up by correctly configured technologies.
Reducing the number of your card payment activities and consolidating them onto a set of standardised payment services, with proven security, will help make card data security more manageable, potentially reduce the risk and support the continual compliance with PCI DSS.
What is PCI DSS special interest group (SIG)?
Formed in 2011, the PCI DSS special interest group is a focused membership organisation formed of HE/FE professionals working within the sector.
The SIG supports its members with a wide range of services including training, events, resources and expertise as they work towards PCI DSS compliance. The PCI DSS SIG is the sector expert on payment card data security.