By Bob Russo, general manager, PCI Security Standards Council
With the latest attacks at big name retailers, the pressure is on for businesses of all sizes to demonstrate that they’re doing whatever it takes to keep their customers’ confidential information safe and out of the hands of the bad guys. But with headlines changing every day on what actually happened and how, many retailers are unsure of where to begin making changes.
In light of these challenges, the PCI Security Standards Council has put together a quick list of 10 simple steps any business can take to help you get started reviewing your current status, putting in place a defense-in-depth strategy, and decreasing the probability of a data breach.
1. Educate. Employees should be trained annually on both online and physical security threats, as well as on the best practices for protecting cardholder data. If you are not familiar with these practices and what new and existing employees should be trained on, check with your acquiring bank or payment service provider to see what training they provide.
2. Update. Your employee manuals should be updated regularly with information on the proper handling of sensitive information, including payment card data and any sensitive customer data you may regularly work with.
3. Screen. Pre-employment screening is a basic and essential practice for any business owner, especially for those employees who have access to sensitive customer or financial data. Believe it or not, according to the 2013 Verizon Business Data Breach Investigations Report (DBIR), nearly 15% of data breaches were the result of a company insider.
4. Protect. The 2013 Trustwave Global Security Report (GSR) notes that almost all POS breaches they investigated last year involved malware. The first step to countering this is to ensure that your business has network and web application firewalls, anti-virus, malware and spyware detection software, and that these are updated frequently.
5. Be Aware. Pay attention to fraud prevention alerts from law enforcement agencies, payment card companies and virus and malware services. Familiarity with the latest security issues can help you anticipate and take action rapidly when circumstances arise. A quick response can make the difference between a minor incident and a major data breach that costs your company millions of dollars and tarnishes your brand.
6. Control. Tightly control your organization’s downloads, software installations, use of thumb drives and public Wi-Fi connections on computers used for payment card processing or handling of other sensitive information.
7. Separate. Designate a separate computer for processing of all your online financial transactions. Try to keep this computer separate from social media sites, email and general web browsing. A large number of compromises stem from computer systems infected through seemingly routine web surfing.
8. Change. Change your passwords regularly, especially after you have outside contractors do hardware, software or POS system installations or upgrades. The Trustwave GSR lists weak and/or default credentials as the third most common method of entry for an attacker. Make sure that you change default passwords, using complex passwords to make them more difficult to guess (include lower and upper case letters, numbers and special characters) and that you use different passwords for all of your systems and accounts.
9. Backup. Make sure you regularly back up your computers and the key data you want to protect, whether it’s to a local machine or to an offsite facility, so your business can be up and running again quickly in the unfortunate event of an attack.
10. Learn. Talk to peers, get involved in industry security groups and find resources that will help you as you continue your security journey. Visit the PCI Security Standards Council website for information on the PCI data security standards as well as ongoing education and training programs available to your organization.
Remember, there is no silver bullet to proper data security. Many new technologies promise greater protections, including EMV chip, tokenization and encryption. But technology is just one piece. To protect your customers and your business, you also need security practices that address the people and processes in your company on a daily basis. “Think security” and your organization will follow.
For more information on PCI security standards and other resources to help you protect payment card data, please visit pcisecuritystandards.org.