Many small business owners out there still don’t seem to appreciate the scope and necessity of PCI compliance with the PCI DSS. I hear a lot about how this or that business owner thinks he or she isn’t big enough or at risk enough to be concerned with PCI compliance. They go on to say that since they don’t electronically store credit card numbers, PCI compliance isn’t a concern. Statements like these couldn’t be further from the truth.
The growing trend in cyber-theft is the targeting of electronic data-in-transit instead of stored electronic data. A recent study found that hackers stole data that was in transit in 66% of reported breaches using high tech data interception techniques and equipment. Only 26% of the time hackers went after stored data. In the remaining 8% the thieves sought both stored data and data in transit. Maintaining your PCI compliance greatly reduces the risk of your data being stolen if targeted by a criminal. Following the PCI DSS goals and strategies for protecting the integrity of your network allows for a continuously updating solution to the problem of data protection.
The following requirements pertain to protection of stored data and data in transit. 1.1 Requirement: all merchants must protect cardholder data by installing a firewall and routing system. Program the firewall and router standards to perform testing when configurations change, identify all connections to cardholder data, and review configuration rules every six months. 2.2 Requirement: It is required that all information is encrypted when transmitting the data across open public networks, such as the Internet, to prevent criminals from stealing the personal information during the process.
In the vast majority of data theft cases, criminals used a specially designed type of data collecting software known as “malware” to perform the task of intercepting data in transit and searching for stored data. PCI DSS 1.2 Requirement: Change all default passwords. Default passwords provided when first setting up software are discernible and can be easily discovered by hackers to access sensitive information.
PCI Compliance with PCI DSS Goal 5: Regularly Monitor and Test Networks contains the following requirements:
5.1 Requirement: Keep system activity logs that trace all activity and review daily. The information stored in the logs is useful in the event of a security breach to trace employee activities and locate the source of the violation. Record entries reflect at a minimum: the user, event, date and time, success or failure signal, source of the affected data and the system component.
5.2 Requirement: Each quarter, use a wireless analyzer to check for wireless access points to prevent unauthorized access. Also, scan internal and external networks to identify any possible vulnerable areas in the system. Install software to recognize any modification by unauthorized personnel. Additionally, ensure that all IDS/IPS engines are up to date.
Be sure to adhere to these PCI compliance mandates for the protection of your business and your customers’ sensitive personal information.