Organisations across all sectors face a constant battle in their quest to mitigate data breaches. The payments industry is one which faces a particularly high-and constant-threat. A breach of customer details would cost a company two fold, compensating any customer losses and secondly through fines or loss of specific payment or transaction privileges. Another consideration is reputation. For example, the breach of TalkTalk in November last year cost the company £15 million in lost trade, and £20 million from its reduced customer base.
Regulations are particularly strict for organisations processing payments, requiring them to comply with strict Payment Card Industry Data Security Standard (PCI DSS) mandates. Failure to do so can result in the organisation losing its credit card processing privileges, significant fines, or short and long-term issues with its company reputation. Cybercriminals are known to target sensitive data transfers like those occurring from processing credit cards, so focusing on protecting this data should be a key priority for every organisation.
1. Protect data at rest and in transit
Keeping duplicate data to a minimum is a great first step. To protect data in transit, organisations can start by introducing a managed file transfer system that acts as a liaison between external connections and internal networks, and ensures that data remains behind an organisation's own firewall and is only moved from one protected area to another.
PCI DSS requires that no vendor-supplied defaults be used for things like ports and banner messages. Therefore, introducing a tool that detects whether any default values are specified can reduce the threat of cybercrime.
2. Introduce strong encryption ciphers and keys
Encrypting remote administrative access using strong cryptography is a key requirement for PCI DSS compliance. Companies need to look to ensure the Secure Sockets Layer (SSL - login technology that establishes an encrypted link between a web server and a browser) is enabled and gives you the opportunity to either disable remote access or enable SSL. In addition, secure data transmission can be enforced by automatically redirecting incoming HTTP traffic to the more secure HTTPS.
3. Make sure data is stored and disposed of securely
Cardholder data must be disposed of when no longer required. It not only saves space but also reduces the risk footprint if an organisation were to be breached. A cleanup tool as part of a security system can help to automatically purge files and overwrite data. Additionally, user disk quotas can be used to limit data storage.
4. Control access
Of course, one of the best ways to protect data is to limit access. Implementing the principle of least privilege is essential. It ensures every employee works on a need-to-know basis, and is especially important with the majority of data breaches happening because of staff errors or malpractice. With the right tools, administrator accounts can be given specialist access that user accounts don't have. PCI DSS requires organisations that process payments to establish an access control system for any multi-user systems, restricting access based on need.
Accounts must be role based so the most trustworthy employees have the most responsibility and access. It's also important to enforce unique usernames and passwords for all, and remove inactive users that could be leveraged by cybercriminals.
5. Check compliance is maintained
Accountability is key to ensuring that employees keep to compliance procedures. Introducing a reporting method, ideally automated, that accesses security and risk, will simplify the process of ensuring PCI DSS requirements are consistently met.
Any company that processes credit card payments is a top target for cybercriminals, so implementing PCI DSS could not be more important in today's digital world. Meeting and maintaining compliance is a challenge for organisations of all types and sizes; for that reason, it is critical to establish an
infrastructure and select the right security tools that also support compliance. Following these five steps will help simplify compliance processes and ensure customer payment data is secure.
