Storing customer credit card data is a costly endeavor; not because it’s terribly expensive to store data with Payment Card Industry-Data Security Standard (PCI-DSS) requirements, but because the data theft costs could be tremendous.
We’ve all seen it far too many times: major retailers face a huge backlash and customer drop-off after publicized breaches, and customers, businesses and the credit card institutions all feel the pain from stolen data, which is why the PCI-DSS standards are so crucial to implement.
Do they address every single technical consideration in keeping financial data safe? Mostly yes, but some areas still have room for improvement. Here are some questions that anyone who is responsible for credit card data should consider when meeting compliance requirements:
What does the new version of compliance do?
Released in May of 2016, the PCI-DSS 3.2 requirements protect the login process among many other sensitive areas that require protections. Merchants and retailers will officially be out of compliance by February of 2018 if their standards lapse.
It’s beneficial to implement them as soon as possible as they keep a secure layer around card transactions, and the environments and security measures for storing critical information are always changing, so staying ahead of evolving technology (and network intrusions) saves everyone costs in the long run.
Overall, keeping the doors to the data shut is priority number one. Unfortunately, some requirements are insufficient in keeping customer data secure. Acquiring and setting up protected servers, monitoring for unusual activity, and maintaining a security policy are all well and good, but logging in securely presents has a broad range of options, as well as some challenges.
Whether it’s an administrator or a customer, simple password-based credentials alone aren’t enough to secure such valuable data. Multi-factor authentication has been part of the requirements for some time, but it’s also the grayest area since a lot of these methods have been proven to have vulnerabilities.
How do I “implement strong access control measures?”
Compared to the rest of the requirements, it’s potentially the least costly element to address, yet the consequence of having an ineffective solution could be dire. The differences between the factors of authentication and approach to access control could have two undesirable outcomes: compromise security through inefficient MFA, or hinder true administrators, employees and customers from accessing card data.
PCI-DSS covers access control in three ways: restrict access to cardholder data on a need-to-know basis per business, identify and authenticate access to system components, and restrict physical access to cardholder data. It’s safe to say administrators and IT specialists are the biggest targets, but also the most capable of implementing effective authentication methods. It's good news for internal teams in keeping the data leaks to a minimum, but that only addresses half of the problem.
The compliance updates also seek to ensure the implementation of multi-factor authentication for all remote or non-console administrative access as well. Protecting data centers that store card info with additional authentication factors is important, of course, but now the question is which MFA makes the most sense for retailers and customers while keeping transactions secure at every step?
What are the costs of truly effective access control?
Protecting the consumer side of transactions is murky. In many cases, merchants face a dilemma: If they want to implement additional security measures--which may increase protection of customers’ data and reduce fraudulent card use--this action also creates a barrier of entry. As a result, customers could drop off, or transactions might remain incomplete.
For example, introducing a different form of two-factor authentication to regular customers could inadvertently reduce the usability of their payment cards on e-commerce websites. Every new obstacle in the path of unwanted intruders can also be an obstacle for legitimate customers as well.
However, using the proper multi-factor authentication when operating these websites isn’t as expensive as the other requirements. Retailers can utilize authentication that is simpler than convoluted password requirements or constant credential resets. Options are available at little cost when compared to setting up or renting secure servers.
These sign-on mechanisms could also be universal across multiple sites and services, offering retailers a unique and consistent revenue stream.
Using mobile devices as access control keys, which most people have anyway, would provide much better security for their financial data while simultaneously offering a much better user experience. Authentication methods that avoid usernames and passwords when accessing user accounts or transferring data are more useful and provide even stronger security, especially compared to traditional two-factor authentication mechanisms such as one-time passwords or text messages.
Retailers could solve this dilemma and also stay ahead of the competition by using these stronger authentication methods. It won't be surprising if the next version of PCI-DSS requires password-less authentication as an element of MFA for all e-commerce and credit card transactions. Until then, it’s entirely possible to spend time and capital on being in compliance while not addressing fundamental gaps in security.