No matter your business—whether you’re a startup or enterprise business—if you collect customers financial data, you have a responsibility to safeguard this information.
Verizon recently released its 2017 Payment Card Security Report, which unfortunately shows that too many businesses are not set up to sufficiently ensure the security of payment card data on an ongoing basis.
There were some bright spots in the report. Verizon found that last year, just over 55 percent had full compliance with the Payment Card Industry Data Security Standard (PCI DSS). That’s an all-time high, but work still needs to be done. The report also found that within a year, almost half had fallen out of compliance.
Compliance is undeniably important. Out of the 300 payment card data breaches, Verizon found between 2010 and 2016; none were fully compliant with PCI DSS. But compliance only tells part of the story.
Why PCI Security Matters
Payment card security is a growing concern. Flip on the evening news, and you’ll be bombarded with stories of devastating data breaches, rocking retail giants, such as Target, Home Depot and now even Equifax.
These breaches can tarnish a company’s reputation. Not surprisingly, Verizon found that 66 percent of people are unlikely to do business with an organization that exposed their financial and other sensitive information.
No one wants their information compromised. Companies that take PCI DSS seriously will likely enjoy more customer confidence.
Ever-Changing Security Concerns
PCI DSS isn’t a federal law but is enforced by financial institutions, including banks and credit card companies. It has twelve security requirements, which call for over 200 specific security actions, called controls.
As cybercriminals grow increasingly sophisticated, companies must fight to keep pace. If a company achieves initial compliance, it’s not the time to be complacent. The controls a company adopts one year may be useless the next.
Even if a company happens to be compliant at testing time, it might not be secure six months later. Verizon refers to this as the “control gap” which is the time when businesses may become vulnerable because compliance controls have lost their effectiveness, or aren’t able to respond to changes in the threatscape.
3 PCI Security Essentials
To beef up payment card security defenses, companies need to be able to:
1. React to changing threats.
Controls can lose their effectiveness over time. You need to be adaptable to environmental changes and controls need to be resilient. The uptick in mobile payments is one example, as is the increase in remote workers, IoT, and the cloud. These new technologies require that merchants continually update their security defenses.
2. Have controls that fit their purpose.
An essential security goal for any business is to reduce vulnerabilities. This means controls need to meet budget requirements and unique business priorities.
3. Take risk into consideration.
A risk-based approach to security can help you find the right controls for your needs. This kind of approach emphasizes outcomes rather than methods — recognizing that not every asset warrants the same level of protection. By implementing a dynamic, adaptive cybersecurity infrastructure, organizations can focus security to where it’s most needed and stay a step ahead of savvy cyber crooks.
Fortinet’s Security Fabric architecture facilitates risk-based cybersecurity by leveraging Big data-driven threat intelligence across physical and virtual environments including all endpoints. It enables you to allocate security resources based on changing threats and network demands, and by simplifying the sharing of alerts and intelligence between layered security devices, coordinate faster responses to PCI threats.
Xiologix can help you implement a risk-based approach that will ensure payment card security and compliance. Contact us to learn more.