Posts

Accepting Credit Cards? PCI Compliance a Concern for Small Businesses

Sue Poremba, contributing writer to Business News Daily, interviewed security experts on why PCI compliance is a concern for small businesses.  Here are the tips we offered on how to stay PCI compliant:

  1. Identify all business and client data, including any cardholder data, its sensitivity and criticality. Correctly defining the scope of assessment is probably the most difficult and important part of any PCI compliance program. An overly narrow scope can jeopardize cardholder data, while an overly broad scope can add immense and unnecessary cost and effort to a PCI compliance program.
  1. Understand the boundaries of the cardholder data environment and all the data that flows into and out of it. Any system that connects to the cardholder data environment is within the scope of compliance and, therefore, must meet PCI requirements. The cardholder data environment includes all processes, technology, and people who store, process, or transmit customer cardholder data or authentication data, as well as all connected system components and any virtualization components, like servers.
  1. Establish operating controls to protect the confidentiality and integrity of any cardholder data. Cardholder data should be protected wherever it is imported, processed, stored and transmitted. It must also be properly disposed of at the end of its life span. Backups must also preserve the confidentiality and integrity of cardholder data. Additionally, all media must be properly disposed of to ensure the continued confidentiality of the data. Be sure to include not only the hard disks used by company-owned computer systems but also leased systems and the storage included in modern copy machines and printers.
  1. Have an incident response plan in place. When a security incident occurs, it’s important to have a plan to return to secure operations as quickly as possible. This plan should define roles, responsibilities, communication requirements and contact strategies in the event of a compromise, including notification of the payment brands, legal counsel and public relations. This will ensure timely and effective handling of all compromised situations. Ideally, companies should have a certified forensics specialist on retainer who can gather evidence and testify as an expert witness if necessary.
  1. Explain and enforce security procedures. You can never be sure that employees understand best security practices and behaviors that can put your business at risk. It is up to you to make sure everyone within the company, from lower-level employees to IT specialists to management, is educated on security procedures and PCI compliance procedures.

To read the entire article, click here.

Keeping Your Business Data Safe from Holiday Hackers

by Nicole Fallon, Business News Daily Assistant Editor   |   November 13, 2014 

In the wake of the recent string of corporate data breaches, businesses are more alert than ever about cybersecurity. Right now, many of them are also gearing up for the busy holiday shopping season, which brings more opportunities for hackers to break in and steal sensitive customer data.

“For many small retailers, the holiday season is a ‘make it or break it’ time of year,” said Jonathan Gossels, president of IT security and consulting firm SystemExperts. “In addition to traditional merchandizing challenges, they now have to worry about whether their IT infrastructure is up to date and can handle the load securely.”

More and more consumers are choosing to shop online every holiday season, so businesses are under a lot of pressure to keep their transactional data safe. Gossels noted that e-retailer websites and associated back-end systems need to be up to date, compliant with the Payment Card Industry Data Security Standard (PCI-DSS) and able to handle the expected transaction volume throughout the holiday season. The key to success, of course, is being prepared long before Black Friday and Cyber Monday.

“The holiday cybershopping boom is not a surprise event,” Gossels told Business News Daily. “It happens every year at exactly the same time. Merchants of all sizes need to plan for it strategically and programmatically.”

While the 2014 holiday shopping season is practically here, there’s plenty you can do to secure your website now and begin planning for next year’s rush. Gossels shared the following tips and timeline to make sure your business’s website is ready for this busy time of year.

Right now: Freeze your production systems until the end of the year. Don’t implement any new software or technologies, and make sure your existing ones are running smoothly and properly. You should only make exceptions to address critical patches that may come out. Use the “freeze time” to begin planning enhancements for next year.

Early 2015: Plan, design and review any system enhancements, including a security architecture/compliance review.

Summer: Implement and test the whole website and back-end systems with particular emphasis on the new functionality.

Late summer/early fall: Conduct PCI compliance and security testing as a strategic framework to follow.

Before November 2015: Fix any remaining problems that have been found during the testing, address any capacity constraints, ensure that all security-related patches are in place, and train staff on acceptable use of systems and resources.

 

Accepting Credit Cards? PCI Compliance a Concern For Small Businesses

Preparing for a Payment Card Industry (PCI) audit requires merchants and service providers that store, process or transmit credit card data to have a detailed security assessment. The purpose of the assessment is to confirm that the merchant or service provider is handling card data in compliance with the Payment Card Industry Data Security Standards (PCI DSS).

I was recently quoted in a BusinessNewsDaily article talking about tips to help merchants and service providers prepare for a PCI assessment. In addition to the two tips mentioned in the article, I’d like to share an additional three tips on preparing for a PCI assessment:

1. Establish operating controls to protect the confidentiality and integrity of any cardholder data wherever it is input/imported, processed, stored, output/transmitted and properly disposed of at the end of its lifespan.

Even if an organization is not storing cardholder data on its systems, a QSA must document the procedures used to confirm that cardholder data is not stored on the organization’s systems.

Even if an organization has not deployed wireless networking, the PCI security standards require periodic attempts to detect rogue wireless networks connected to systems.

Backups must also preserve the confidentiality and integrity of all cardholder data. Additionally, all media must be properly disposed of to ensure the continued confidentiality of the data. Be sure to include not only the hard disks used by company owned computer systems but also leased systems and the storage included in modern copy machines and printers.

The management of cryptographic keys is also in scope. The PCI DSS references the key management procedures published by NIST. NIST has issued special publication (SP) 800-57 that discusses encryption key management. It goes into detail not only on encryption itself (volume 1), but also key management (volume 2). For most organizations volume 2 is the most relevant unless you are using IPSec, PKI or other special cases, in which case, volume 3 would also be relevant.

2. Establish controls to document and distribute security incident response and escalation procedures to ensure timely and effective handling of all compromised situations.

An incident response plan should define roles, responsibilities, communication requirements, and contact strategies in the event of a compromise, including notification of the payment brands. It should include legal counsel and public relations. Another important aspect is business continuity and returning to secure operations as quickly as possible. Ideally, companies should have a certified forensics specialist on retainer who can gather evidence while preserving the chain of evidence, end testify as an expert witness if necessary.

3. Make sure documented controls are in place for users to follow, IT to configure and management to enforce.

An organization cannot safely assume that its employees just know to “do the right thing.” Each organization has the responsibility to educate its employees, contractors and temporary employees about acceptable behaviors, unacceptable behaviors,and how to identify and report suspected security incidents. IT employees should have documentation that addresses configuration standards, logging requirements, data retention requirements, and access control requirements. All staff must be made aware of the potential penalties for not complying with policies and procedures.

Undergoing a PCI audit does not have to be a daunting task If companies follow these guidelines to help prepare for it.

Accepting Credit Cards? PCI Compliance a Concern For Small Businesses

Sue Marquette Poremba, Business News Daily Contributor   |   March 20, 2014 12:59pm ET

Recent breaches against major retailers have put payment card industry (PCI) regulations in the spotlight. However, it isn’t only big companies that need to worry about adhering to these regulations. The rules apply to every business that relies on credit and debit cards for transactions. Even if your business employs four people and it conducts one credit-card transaction a month, it must be PCI compliant.

This is easier said than done. The Verizon 2014 PCI Compliance Report found that most companies struggle to meet the PCI Data Security Standard, the set of regulations created to help keep credit and debit card data safe and secure. According to Computerworld, more than 82 percent of companies were compliant with only about 8 in 10 of these requirements at the time of their annual assessments, and needed several months to close the gaps. In addition, only 11.1 percent of businesses maintain their compliance status between assessments.

Being PCI compliant is non-negotiable if you accept credit and debit cards, but preparing for a PCI audit and ensuring that your company does meet compliance standards can be daunting. Jeff VanSickel, senior consultant at IT compliance consulting firmSystemExperts, provided a few tips to prepare for a PCI assessment, and to keep your standards at secure levels at all times.

1. Identify all business and client data, including any cardholder data, its sensitivity and criticality. Correctly defining the PCI Scope of Assessment is probably the most difficult and important part of any PCI compliance program, VanSickel said. An overly narrow scope can jeopardize cardholder data, while an overly broad scope can add immense and unnecessary cost and effort to a PCI compliance program.

2Understand the boundaries of the cardholder data environment and all of the data that flows into and out of it. Any system that connects to the cardholder data environment is in scope for compliance, and therefore must meet PCI requirements. The cardholder data environment includes all processes and technology as well as the people that store, process or transmit customer cardholder data or authentication data, as well as all connected system components and any virtualization components, like servers.

Link to article.