Recent figures from the UK Cards Association showed that banking industry initiatives, including PCI DSS, have been successful in decreasing the volume of card and bank account fraud. Payment card fraud losses in 2010 reached their lowest levels since 2000.
While significant progress has been made in the reduction of card fraud in Europe, more can be done. The series of global, massive data breaches that have plagued organizations just this year proves that those involved in the payment chain are still being targeted and must take direct action to place security soundly into their day-to-day business efforts.
To address the problems of today’s threat landscape, we can't simply rely on a single technology but must continually examine the people, processes and technology we have in place to protect against future card fraud.
We should be looking to educate our people, then develop security procedures and strategies designed to reduce scope and risk. Only through this will we be able to address the next critical juncture of payments security.
Following are a few of the tips I provide organizations when we are talking about moving toward more secure payment transactions.
If You Don't Need It, Then Don't Store It!
Ok, I agree this can seem a bit like an oversimplification. But it works on so many different levels, and to be honest, this is the basis for many talked about technologies such as encryption and tokenization. Do everything you can to eliminate data. Train your people, create the processes and then look at the appropriate technologies that help you in this effort.
In many cases you can replace the data that you currently store or transmit by encrypting or tokenizing the data. This will help reduce the scope of your PCI assessment and simplify your compliance efforts.
Think Security, Not Compliance
That’s basically what the first tip is about as well, but this goes further. A Report on Compliance is a piece of paper; a valuable one for many organizations, but perhaps less valuable than the peace of mind that you have when you are prepared for ongoing security.
Name an Internal Expert
One of the simplest and most effective means of maintaining ongoing compliance is through a dedicated internal resource you have named. Through this, you can have an individual or team that not only helps prepare for a compliance assessment, but establish the protocols to monitor and maintain ongoing compliance and security.
The PCI’s Internal Security Assessor (ISA) program gives internal champions the same training as QSAs, so they know what to look for and how to keep an organization on track and within the PCI requirements for the entire year.
Implement a Risk-based Approach
Once you have your internal staff on board, it’s time to set your agenda. Whether you are well into your PCI process, or just beginning, a great reference for you to consult is the PCI Prioritized Approach document.
The Prioritized Approach provides guidance that will help merchants identify how to reduce risk to cardholder data as early on as possible in their compliance journey. The tool groups together the requirements of PCI DSS into six key milestones for merchants to consider in their card data security strategy. This risk-based approach eliminates the biggest vulnerabilities first, and allows you to share your progress with assessors, acquiring banks and the card brands.
Make Security Part of Your DNA
Again, this goes to a previous point: think security rather than compliance. The PCI DSS is a fantastic foundation for establishing a core group of best practices that can serve as the foundation for your security efforts.
Remember, the DSS is the floor, not the ceiling; you should always be looking to build additional layers of security on top of it. This layered approach will allow you to focus on the security part of your business, building it into every business project or activity you commence, and allow you to move beyond a compliance sideshow to one where you are an increasingly difficult target for the bad guys. All it takes is some concerted effort. The more difficult you make it for criminals, the more likely they are to look elsewhere.
Remember, PCI DSS is a solid foundation for you to develop and maintain security practices that help enable the entire business. Get the basics sorted by following these tips and then build your layers on top for a more secure business.
Jeremy King is the European director for the PCI Security Standards Council.
Comments
Cardsave says:
03 February 2012
I couldn’t agree more about your point on education. At Cardsave this is a priority for us. Working with small and micro-businesses, we find that many of the companies who are not yet compliant, are that way due to confusion about PCI DSS - what it is, how it works, and how difficult it is to meet the standard. Compliance can appear complicated if it isn’t explained in a clear and simple way, but as you have shown here, it really boils down to common sense.
If we don’t educate our merchants then how can they be expected to understand the jargon and complicated terminology so regularly floated by some service providers? We can’t. We believe we should be doing everything we can to help and encourage merchants, which is why, at Cardsave, we have set up a help desk for merchants who want talking through the process step-by-step.
Clive Kahn, CEO, Cardsave (cardsave.net)
Note: The majority of comments posted are created by members of the
public. The views expressed are theirs and unless specifically stated are not those
Elsevier Ltd. We are not responsible for any content posted by members of the public
or content of any third party sites that are accessible through this site. Any links
to third party websites from this website do not amount to any endorsement of that
site by the Elsevier Ltd and any use of that site by you is at your own risk. For
further information, please refer to our Terms & Conditions.
Comment on this article
You must be registered and logged in to leave a comment
about this article.