Criticism of the PCI-DSS happens, but there’s no doubt that being compliant with its regulations matters. Failing an audit could cost up to hundreds of thousands of pounds and significant reputational damage – and that’s without considering the disastrous consequences of a full-blown data breach.
What are the biggest reasons organisations fall short of PCI compliance?
Not segmenting networks
If you had a priceless Picasso in your home you wouldn’t store it in the same place you’d put your laundry. Network segmentation works in the same way – keeping PCI-protected payment information away from less important data.
When the American retailer Target suffered its multi-million pound data breach, it happened because it didn’t isolate payment information. Hackers were able to access its non-critical heating and ventilation system and then could move ‘sideways’ across the flat network to its point of sale systems. From there they extracted the financial data of some 40 million people.
Segmenting networks isn’t demanded by the PCI but it makes complete sense. Not only does it keep customers’ data safer and lessen the chances of a failed PCI audit, it also significantly decreases PCI scope in general – making adherence to guidelines cheaper, less complicated and less time-consuming.
Using unsafe passwords
It’s the most basic of all security pointers: make sure your passwords are properly secure. Yet, according to Verizon, 48.9% of companies fail to meet the demands of PCI DSS’ Requirement 2, which stipulates that companies must not use “vendor-supplied defaults for system passwords and other security parameters“.
This Requirement is very detailed – insisting that passwords need to be:
- Changed every 90 days
- Detailed, with a mixture of lower and upper case lettering, characters and numbers
- Not repeated over two years
- Not the default passwords that come with systems
The final point is often the critical one. Often, there are systems with default passwords that haven’t been changed because they go under the radar of IT. As a result, non-PCI savvy users, of course, aren’t clued up sufficiently to abide by the stringent password requirements. Which spells trouble for PCI compliance.
Scrimping on reporting
One of the PCI’s key requirements stipulates that IT departments should be constantly tracking activity inside their networks to check that all’s well with the data they’re holding.
For many smaller businesses, basic Windows software such as Event Viewer can provide the necessary tracking and viewing tools. However, for bigger organisations with thousands of servers it’s not quite that easy.
Huge budgets have to be dedicated to creating enterprise-level tracking that both satisfies PCI regulations and keeps user data safe.
Even then, it’s not always possible to detect wrongdoers in a network – the hackers that exposed 1.1 Neiman Marcus cards were anticipated to be inside its system for as long as 3 months during the summer of 2013. Segmentation again here is key. Limiting the scope of PCI-related information across an organisation is the most effective way to ensure that all necessary networks are being reported, and nothing slips under the net.
Payment data typically will spend much of its life moving from one system to another. So when it comes to PCI compliant file sharing, it should go without saying that information should be encrypted during transit and at rest.
This sounds relatively basic, but it’s surprising how many businesses will neglect specific parts of payment systems – ensuring that some aspects insist upon encryption, while others don’t.
What’s more, while it’s essential to keep all payment data encrypted, the ‘keys’ that are used to decipher PCI-related information must also be guarded assiduously. After all, it’s no good protecting data with the leading encryption techniques if you’re going to make it easy for hackers to access valuable cryptographic keys.
PCI guidelines dictate that encryption keys should be “protected as strongly as the encryption keys themselves”. So devising a cast-iron encryption solution is essential.
Read more: How Maytech makes Data Sharing More Secure
Getting complacent about encryption
Due to the ubiquity of quality encryption and the ever-falling cost of data storage, it’s common for organisations to get complacent about the precious payment data they’re storing.
Many, after all, are tempted to keep as much customer data as possible for marketing purposes.
But all it takes is one mistake or security lapse and that information could get compromised. The more data you store, the more likely you are to fail to protect it properly.
This isn’t to say that companies shouldn’t seek to carefully collect and analyse customer data – just that it’s not worth the risk of handling potentially-toxic payment information. Most organisations won’t need more information than the last four digits of customers’ credit cards.
Getting complacent, full stop
Passing a PCI initial audit is hard work, but it seems that passing it the next year is even tougher. Verizon anticipates that 80% of businesses fail their interim PCI compliance assessment, while fewer than a third (29%) managed to maintain complete compliance over the following 12 months.
It’s clear to see that remaining PCI compliant is also particularly tricky. Requirement 11, which stipulates organisations must “regularly test security systems and processes”, is one that IT departments often fail on. Whether because of low awareness, poor procedures or unengaged workforces, many accredited organisations get complacent on their testing and fail the following audit.
Only by staying alert to all security dangers and working with trusted PCI partners can an IT department satisfy the PCI DSS – and keep a data breach at bay.