Another new day, another new data breach. This has become the ‘New Norm’ at least over the last two years. It has come to a point of not if a business will get hacked, but when. Does this mean retailers surrender and give up? Do they simply say, “We are going to pay anyway so let’s just wait for the breach to happen and pay all at once?” Hardly!
Data security is not about spending money. It’s about risk reduction. Retailers can be compliant and still have a breach. No standard is fool proof or breach proof. On the other hand not doing anything about data security greatly increases the risk of a breach. At the very least, retailers need to reduce risk by implementing good data security solutions is a necessary step and it avoids complications down the road.
How do you step-up risk reduction?
- Start with your infrastructure
- Replace old systems
- Revisit your payment security devices
- Update or replace software technologies
- Examine your card data environment (CDE)
- Have a long term strategy as a goal to work towards
- Make short term improvements for safeguarding data for the near term into the future
1. Start with your infrastructure. Infrastructure means infrastructure security. Virtualization security, server security, firewalls, server hardening, two-factor authentication.
2. Replace old systems. This refers to hardware and software and their compatibility. Older machines are not capable of running updated software as they need more RAM (memory), better video card, larger hard drives and updated printer drivers. Newer software may not even install in old operating systems.
3. Revisit your payment security devices. There are approved lists of payment hardware, i.e. PIN Transaction Security (PTS) published by the PCI Security Standards Council. Constant reviews and updates are required as security is a never-ending race against potential attackers. So, regularly review, update, and improve the security requirements used to evaluate Point of Interaction (POI) devices and hardware security modules.
4. Update or replace software technologies. This would include software and versions for antivirus, antimalware, firewall, network, email, Internet security, password managers, corporate security, all mobile devices to cope with wireless intrusion detection and prevention.
5. Examine your card data environment. The CDE environment would include computer systems or a network of systems that processes, stores or transmits card data, authenticates data; and all other components or devices that support this CDE network.
6. Have a long term strategy as a goal to work towards. While the above are being done, keep in mind that the goal is to stay ahead of attackers. So constantly evaluate data-protection strategies. A big portion of data security is people. Train staff to follow policies and guidelines and make them a part of your organization’s culture.
7. Make short term improvements for safeguarding data for the near term into the future.
Short term steps could be,
- Following password policies. It would include basic rules such as not writing down passwords, not using generic passwords, not sharing passwords, and changing passwords every 30 to 60 days.
- Performing recommended software updates and patches
- Using approved POS versions
- Segmenting POS systems
- Performing external vulnerability scans
Data security versus data breaches
To think that spending money on data security is not resulting in returns is not true. Much like a home security service, retailers will not see returns on it except when they know that someone tried to get in and decided not to break in. Retailers with no data security and no insurance protection face the highest risk. This may be acceptable to some retailers – but clearly it is not prudent to carry on without implementing good data security solutions and practices.
With breaches increasing nationally, data security and risk reduction cannot be ignored. Data security should always be the starting point for businesses of any size. And then, you have compliance. Payment Card Industry Data Security Standards (PCI DSS 3.0) is now focused more on continuous compliance. This means ongoing data security for ongoing compliance. Merchants who process 1 million transactions of Master Card or VISA annually have to follow PCI standards and are required to validate compliance through a QSA certified Internal Security Assessors. To be sure, all merchants regardless of their size are expected to follow PCI standards. Follow the game plan described above and you will be one of those retailers who simply make it too difficult for a hacker, so the enemy moves on to the next vulnerable target.
Omega ATC is a PCI certified Managed Security Services Provider. Call 636-557-7777 to help you with your data security or email firstname.lastname@example.org.