When he looks back on the various PCI programmes that he has run, Rob Chapman, Director of Security Architecture at Cybera, a PDI Company, says there are three key items which always stand out. Why? Because they can quickly deliver outsized benefits to pretty much any business that’s subject to PCI compliance. Going beyond the scope of PCI, he tells us here how the three tips also represent some of the most important IT security changes an organisation can make to protect the business and its customers.
Does your business process any credit or debit card transactions? If so, you must be able to account for how you transmit and store customer cardholder data. That’s the primary objective of PCI compliance – securing the journey of cardholder data from the point of sale to everywhere it travels across your IT systems.
But what exactly does PCI compliance mean to you as an IT business leader? First, it means you need to understand your business’ overall security posture. Second, it means you need to understand why it’s so important to fully support your PCI compliance team.
The high cost of non-compliance
Having consulted in the cybersecurity and compliance world for several years, I find it easy to tell when IT leaders recognise the true business value of PCI compliance. Conversely, few things are more frustrating than sitting in a meeting and watching my colleagues attempt to explain the critical need for PCI compliance, only to be met with blank stares from their IT executives.
No, PCI compliance certainly isn’t as sexy as Machine Learning or AI, but there are both monetary and strategic business reasons to invest your team’s time and resources into achieving compliance. Naturally, you want to avoid regulatory fines, legal fees and lost revenue. And you also want to reduce cybercrime, prevent damage to your brand reputation and maintain your customers’ trust.
The fact is, non-compliance can be extremely disruptive and expensive – with typical monthly fines ranging from US$5,000 to US$100,000, depending on the size of your business. And, according to the IBM Cost of a Data Breach Report 2020, an average breach costs US$150 for each customer record compromised. Multiply that figure by each customer record in your systems and you quickly get a real sense of how damaging non-compliance can be.
Three security tips for simplifying compliance
The best IT business leaders I’ve worked with recognise the value of PCI compliance and support their team’s efforts accordingly.
Whenever they ask for recommendations, I typically respond with three cost-effective and relatively easy ways to help protect cardholder data and achieve PCI compliance:
- Update your company’s password policies
- Use logging and tracking for all your systems
- Implement multi-factor authentication (MFA) everywhere you can
1. Update your company’s password policies
I consider passwords to be the low-hanging fruit when it comes to enhancing enterprise security. Unfortunately, a lot of the conventional wisdom about password policies is somewhat dated.
As cybercriminals employ much more sophisticated techniques, your password policies need to match that level of sophistication. One way to achieve this is to start requiring longer passwords for system access, emails and so on.
Yes, passwords should be complex (in terms of numbers, symbols and capitalisation), but the real strength stems from their length. Consider a couple of examples:
- Option 1: You generate a random seven-character password with letters, numbers and symbols. Using a basic laptop and readily available software, a hacker could likely crack that password within 90 seconds.
- Option 2: You generate a 15-character password with only lowercase letters. Using the same computer, the hacker would need an exponentially longer time to crack the password.
That’s a rudimentary example, but I encourage you to try some online password security calculators on your own. Although you might see different results among the various approaches, the main takeaway is that longer passwords equal stronger passwords – and the magnitude of difference can be surprisingly large.
2. Use logging and tracking for all your systems
There’s a fundamental rule in IT – if you don’t know what’s in your environment, you can’t properly secure it. Taking inventory and tracking all your systems is critical to defining the scope of your cardholder data environment (CDE) that’s subject to PCI compliance.
The first step is to activate logging and then track everything in a central area. By collecting data and reviewing your logs, you’ll quickly learn a lot about your environment. Many tools can help you automate these processes – and you can easily monitor your systems and set notification alerts for whenever something changes.
Doing so will help you detect unusual data traffic or potentially malicious behaviour, such as when an intruder attempts to access your systems. Carefully reviewing your logs will also help you identify any broken or poorly performing systems sooner. More often than not, you’ll discover easy fixes that deliver a fast ROI in terms of improving security.
3. Implement MFA everywhere you can
You’ve likely used MFA (also known as ‘2FA’) in your personal life when you’ve accessed an online financial site. After you log on, the site asks you to provide a one-time verification code sent to you via text or email.
This process of using a one-time special access code or performing a time-sensitive task is great for verification. Most MFA solutions combine two of the following factors: What you know (like a password), what you have (such as a phone or a security fob) and who you are (biometrics like a thumbprint or facial recognition).
I simply can’t recommend MFA highly enough. To put it bluntly, there’s probably no faster, easier, catch-all security improvement that helps prevent cybercrime.
Keep your PCI compliance team productive…and happy
Even if these three security recommendations seem like no-brainers, you’d be shocked at how many companies neglect to implement them. If your IT team is already on board, that’s great.
Just continue refining your security environment as you go. But if you aren’t taking advantage of these areas, there’s no better time to start. Your PCI compliance team will definitely appreciate you making their lives much easier.
About Rob Chapman
As Director of Security Architecture at Cybera, a PDI Company, Rob Chapman is responsible for the company’s overall cybersecurity architecture and PCI compliance initiatives. During his career, he has focused on areas ranging from academic and enterprise technologies to big data and audiovisual systems. Chapman has a Masters in Educational Leadership and Instructional Technology from Tennessee Technological University.
Click below to share this article