Making PCI Compliance Continuous
Merchants who depend on a once-a-year Payment Card Industry (PCI) compliance assessment to expose security risks may be whistling in the dark .
Because of the nature of online threats , the task of PCI compliance has evolved into an evergreen, every-day due diligence process to identify and stop security intrusions.
Some merchants may still have a “set and forget” PCI compliance mentality. They unintentionally leave themselves open to potential losses through a variety of situations. Some common risks include:
Failure to anticipate new exposures – The introduction of anything new into a payment environment can mean new vulnerabilities that hackers could exploit. One example would be a merchant migrating from the use of an analog phone line for credit authorizations to the use of an internet protocol. The merchant’s network is now exposed to the risk of malware intercepting authorizations, especially if data encryption and tokenization are not used. Similar risks can also occur when changing from a point-of-sale terminal to third-party software.
Failure to monitor security controls – Cybersecurity is now is at a completely different level than it was even a few years ago. It is a competition where fraudsters do X and merchants must do Y to counter them, with no end in sight. In addition to the daily risks of intrusions from hackers, should malware be introduced it can reside in a network for long periods before it is finally discovered.
Failure to integrate security processes companywide – Companies who failed to integrate security processes across their multiple operations leave themselves open to serious potential damage. In addition to cyber risks, there is still the possibility of offline security breaches such as customer data located in physical files being stolen or misused by disgruntled employees.
To avoid such losses, periodic assessments, on-going sampling, and company-wide controls should be the cornerstones of every firm’s on-going PCI compliance initiatives . Other steps should include:
- Limiting the amount of data – If the data’s not there, a fraudster can’t steal it. Hackers and fraudsters typically want to get in and get out quickly or place malware into a network which will sit undetected over time. Limiting the amount of data stored should be the first line of defense.
- Use encryption and tokenization – All customer data should be encrypted. Tokenization should be used to replace actual records with meaningless data of no use to a hacker. The use of tokenization can also help to minimize the amount of customer data that could potentially be hacked.
- Include compliance in risk management – Having effective oversight and controls in place beyond the payment processing network should be critical for every business. The question that needs to be constantly asked is “how do we use information to effectively build out broader, stronger and more diligent controls to protect the business from evolving risks?”
PNC Merchant Services® can simplify the on-going compliance process through Clover® Insights and Clover Security Plus which provides both encryption and tokenization. Such on-going safeguards could greatly decrease the possibility of a data breach occurring. Learn more »
More Insights eNews
Get helpful articles like this sent automatically to your inbox quarterly.
Important Legal Disclosures & Information
The Clover® name and logo are owned by Clover Network, Inc., a wholly owned subsidiary of First Data Corporation, and are registered or used in the U.S. and many foreign countries.
Merchant Services are provided by PNC Merchant Services Company and are subject to credit approval. PNC Merchant Services is a registered trademark of The PNC Financial Services Group, Inc.