Merchants who depend on a once-a-year Payment Card Industry (PCI) compliance assessment to expose security risks may be whistling in the dark .
Because of the nature of online threats , the task of PCI compliance has evolved into an evergreen, every-day due diligence process to identify and stop security intrusions.
Some merchants may still have a “set and forget” PCI compliance mentality. They unintentionally leave themselves open to potential losses through a variety of situations. Some common risks include:
Failure to anticipate new exposures – The introduction of anything new into a payment environment can mean new vulnerabilities that hackers could exploit. One example would be a merchant migrating from the use of an analog phone line for credit authorizations to the use of an internet protocol. The merchant’s network is now exposed to the risk of malware intercepting authorizations, especially if data encryption and tokenization are not used. Similar risks can also occur when changing from a point-of-sale terminal to third-party software.
Failure to monitor security controls – Cybersecurity is now is at a completely different level than it was even a few years ago. It is a competition where fraudsters do X and merchants must do Y to counter them, with no end in sight. In addition to the daily risks of intrusions from hackers, should malware be introduced it can reside in a network for long periods before it is finally discovered.
Failure to integrate security processes companywide – Companies who failed to integrate security processes across their multiple operations leave themselves open to serious potential damage. In addition to cyber risks, there is still the possibility of offline security breaches such as customer data located in physical files being stolen or misused by disgruntled employees.
To avoid such losses, periodic assessments, on-going sampling, and company-wide controls should be the cornerstones of every firm’s on-going PCI compliance initiatives . Other steps should include:
PNC Merchant Services® can simplify the on-going compliance process through Clover® Insights and Clover Security Plus which provides both encryption and tokenization. Such on-going safeguards could greatly decrease the possibility of a data breach occurring. Learn more »
The Clover® name and logo are owned by Clover Network, Inc., a wholly owned subsidiary of First Data Corporation, and are registered or used in the U.S. and many foreign countries.
Merchant Services are provided by PNC Merchant Services Company and are subject to credit approval. PNC Merchant Services is a registered trademark of The PNC Financial Services Group, Inc.