Companies who process credit card data are getting pummeled by breaches. It doesn’t seem to matter if you are big or small anymore—you are going to be targeted if you have not already been breached.
That’s what PCI DSS is for, right? If you follow all of the requirements in PCI DSS, you should be safe? Even the folks inside the Council will tell you that a healthy PCI compliance posture does not make you secure, and you must take steps beyond PCI DSS to be safe. So is this just a losing battle?
Before we answer that question, let’s take a look at the changes coming in PCI DSS 3.0. We’ve moved from choosing from six questionnaires to nine (https://www.pcisecuritystandards.org/security_standards/documents.php), and the requirements are getting harder to meet as technology adoption outpaces the standard. Don’t forget, you are ultimately responsible for the safety of payment data. That means, if your POS vendor forgets to turn off their remote access and it leads to a breach, you are the one left holding the bag.
Information considered valuable by a threat actor is dangerous to handle. Most of us leave our money in a bank because we rely on them to protect it. Rational business owners would never leave tens of thousands of dollars in cash lying around their store, because they know it would be stolen. Information is not cash, but there are people who know how to monetize it.
Payment card data has no value to you after the transaction settles. It’s simply a liability that you have to protect, just as a bank might protect millions of dollars of other people’s currency. Your best course of action is to remove as much payment information as you can from your company, and maniacally defend areas where it is present—even if it is only present for a second.
If you use an approved, stand-alone terminal (about 80% of you), you may already be doing it. If you are using an integrated POS system, you must ensure that you are actually taking care of the maintenance and updating of these systems. If you do not have the expertise in-house, find a vendor who can assume the liability and help you stay secure. Ideally, you would have them own and maintain the systems, and they send you wire transfers when transactions clear. E-Commerce is probably the easiest as you can leverage companies like Shopify or Etsy to manage everything for you.
Your mission, and you already accepted it when you signed up for payment card processing, is to think about how you use credit cards in your business. Think of every place you swipe them, write them down, store them for subscriptions or concierge purposes, or transmit them (think multi-locations with centralized billing and settlement), and figure out ways to secure and defend this data from theft and misuse.
There are a number of ways to do this. First, destroy the data wherever you find it. There are free and commercial tools available for secure data destruction. Next work with your POS vendors to ensure the systems are configured in accordance with the Payment Application Data Security Standard, PA-DSS. Also, consider the economics behind a decision to ask someone else to help you secure this. For the most part, it’s just the big guys that see true financial benefit from insourcing these components—but it quickly becomes a financial liability in the case of a data breach. Finally, consider payments outsourcing. It will allow you to focus on what you do best!
For more on this topic, check out "PCI Compliance: Understand and Implement Effective PCI Data Security Standard Compliance" written by Branden and Anton Chuvakin, and follow Branden on Twitter.