Not Just Business as Usual
By Dr. Autum Pylant
The phrase “business as usual” does not apply to the last few months. And, it might not apply to business in the future. Companies around the world have had to change the way they operate, adapting to new measures in order to stay afloat. A lot of business transactions that would normally be done in person have moved to the internet. That’s not to say that many businesses weren’t already doing business online, because they were. However, the COVID-19 crisis saw millions of consumers changing routines and doing more online shopping because they had no other choice. According to a report by Adobe’s Digital Economy Index, e-commerce has gained $52 billion in extra online spending since the pandemic began.
Shopping online might be the new norm as businesses have been limited by state and local guidelines on when they can open, and many are allowing their employees to continue working from home. While the convenience of working from home has its benefits, security becomes more challenging.
Security is important with every swipe of a credit card and when payment information is entered online. The Payment Card Industry Security Standards Council (PCI SSC) provides guidance to achieve that security through a global, cross-industry effort. They lead the path to increasing payment integrity though data security standards and programs that can help businesses detect, mitigate, and prevent cyberattacks.
The Payment Card Industry Data Security Standard (PCI DSS) was established in 2004 to help prevent credit card fraud. Today, with a global team of strategic partners, PCI DSS is responsible for securing payment data. If you accept or process payment cards, these standards apply to you. PCI security standards help businesses build and maintain a secure network, protect cardholder data, maintain a vulnerability management program, implement strong access control measures, regularly monitor and test networks, and maintain an information security policy. While these goals seem simple enough, how does one go about actual implementation and compliance?
Here are eight best practices based on the CIS Controls and CIS Benchmarks that organizations can follow to maintain and enhance PCI compliance:
Use a Firewall
A firewall is your first line of defense against malicious attacks; make sure your firewall is regularly maintained on your network and PCs.
Install Anti-Virus Software
Under PCI DSS, anti-virus software is required for any device that interacts with or stores Primary Account Number data.
Protect Your Passwords
Use strong passwords. Change default passwords on hardware and software.
Encrypt Data and Secure Cardholder Information
In order to be PCI DSS compliant, all payment data must be encrypted during transit. If using a wireless router, it must use encryption and be password-protected. The PCI DSS requires that you protect cardholder data, to include card numbers and user information, with encryption. Any information that is written or typed must be secured through lock and key. To maintain PCI DSS compliance, organizations must keep a log of the dates, times, and people who access the physical data.
Keep Software Up-to-Date
Software should be updated regularly on devices that interact with payment information.
Restrict Access with Unique Access IDs
Access to cardholder information must be documented and restricted to parties who need to know it. These individuals are required to have their own login credentials.
Maintain Access Records and Document Policies
PCI DSS compliance mandates that businesses document how information flows through the organization, and when access is required. This should include a hardware and software inventory list and the employees who have access, and a policy that addresses information security for employees and contractors .
Regularly Test for Vulnerabilities
Businesses should only buy and use approved PIN entry devices and validated payment software at point-of-sale or website shopping carts. PCI DSS requires regular scans and system tests to identify weaknesses, outdated software, and holes in your cybersecurity. You should also regularly check PIN entry devices and PCs for skimming devices.
As every aspect of the business world has changed recently, it’s important to recognize that complying with PCI DSS is not just a one-time project; rather, it’s an ongoing process that needs to be followed and adhered to year-round.
About the author: The Center for Internet Security, Inc. (CIS) makes the connected world a safer place for people, businesses, and governments through our core competencies of collaboration and innovation. We are a community-driven nonprofit, responsible for the CIS Controls and CIS Benchmarks, globally recognized best practices for securing IT systems and data. We lead a global community of IT professionals to continuously evolve these standards and provide products and services to proactively safeguard against emerging threats. Our CIS Hardened Images provide secure, on-demand, scalable computing environments in the cloud. CIS is home to the Multi-State Information Sharing and Analysis Center (MS-ISAC), the trusted resource for cyber threat prevention, protection, response, and recovery for U.S. State, Local, Tribal, and Territorial government entities, and the Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC), which supports the rapidly changing cybersecurity needs of U.S. elections offices. To learn more, visit CISecurity.org or follow us on Twitter: @CISecurity.