May 03, 2016
For the Payment Card Industry (PCI), compliance with their Data Security Standards (DSS) means adhering to a highly-prescriptive technical standard aimed at securing cardholder data and preventing payment card fraud. Worryingly, Verizon’s 2015 PCI Compliance Report found that a staggering 80% of companies fail interim PCI compliance assessments. This means that they don’t have a sustained security programme in place year round. Today I’m looking at 5 common PCI compliance mistakes, and how your company can avoid them.
1) Not Using Firewalls
Your firewall is your first line of defence against a security breach. According to Verizon’s report, only 27% of breached organisations had properly maintained firewalls in place at the time of their data breach, suggesting that ineffective perimeter security is a key contributor to the success of a data breach.
2) Storing Cardholder Data as Plain Text
Protecting stored cardholder data is an essential requirement for PCI compliance. Rather than storing data as plain text, you should encrypt all stored cardholder data, and store encryption keys securely in the fewest possible locations.You should also make sure you’re only storing data that you need. So you should never store PIN or CVV data in your database, or the full 16-digit card number. The less cardholder data you store on your database, the less data can be stolen in the event of a breach.
3) Not Regularly Testing Security Systems
This is essential for maintaining systems and software security. The security landscape is constantly changing, with new threats and vulnerabilities emerging all the time. So it’s no longer enough to simply configure new systems and then forget about them.You should regularly test your security systems to ensure that any development changes haven’t introduced new vulnerabilities, and to keep your systems protected against emerging threats. Regular testing will help you patch any vulnerabilities before your company suffers a data breach, rather than only identifying vulnerabilities in your systems after a breach has occurred.
4) Investing Time, Effort and Money in the Wrong Place
To make best use of your security budget, you should make sure your security team is investing their time and effort where it can have the biggest impact on security. Some companies spend a disproportionate amount of time and effort securing the network layer, but in fact over 70% of security vulnerabilities exist at the application layer, rather than the network layer.PCI DSS calls for organisations to “develop applications based on secure coding guidelines” and prevent vulnerabilities such as injection flaws, buffer overflows and cross-site scripting. So your organisation’s application security has a very real impact on PCI compliance.Learn more: Why Application Security is a Crucial Part of Compliance
5) Not Making Security a Company-wide Priority
Strong and consistent security governance is vital for achieving and maintaining PCI compliance. Getting senior executives on-board with the best practices of security will help set a positive precedent, and raise company-wide awareness for the importance of security.If security becomes a company-wide priority, and all staff receive role-specific security training to align their work with security best practices, then compliance with PCI standards will become integrated with normal business practices.