With the recent news of the Global Payments credit card breach, business owners are again reminded of the risks associated with processing and storing credit card data. In a 24/7 world where many organizations maintain online storefronts, however, accepting credit card payments isn’t just an option for doing business. It’s a necessity.
So how can you accept credit card payments and avoid suffering a security breach?
In 2004, five major card brands (Visa, MasterCard, American Express, Discover, and JCB) combined their security programs into a single set of requirements known as the Payment Card Industry Data Security Standard. The standard consists of six key objectives:
- • Build and Maintain a Secure Network
- • Protect Cardholder Data (i.e., encrypt)
- • Maintain a Vulnerability Management Program
- • Implement Strong Access Control Measures
- • Regularly Monitor and Test Networks
- • Maintain an Information Security Policy
The standard goes on to identify more than 220 sub-requirements with which merchants are expected to comply. The intent of this standard is to provide merchants with a core set of security controls to help protect their organizations against a breach. The standard was designed as a checklist for the essential information security controls that every merchant should implement and maintain.
Global Payments learned the hard way that a breach results in unplanned expenses, such as legal fees, fines, and credit monitoring services for their customers. With the cost of a breach estimated at anywhere from $90 to $305 per record, a credit card security breach could put many small to medium companies out of business.
According to the PCI Security Standards Council, the first step toward protecting your business and your customers’ credit card data is to complete a PCI Self-Assessment Questionnaire. The Council has multiple SAQs available to download for free from its website, maintaining different questionnaires for different types of merchants (e.g., brick and mortar only vs. ecommerce website).
While a completed SAQ will provide you with a good sense of where your organization stands compliance-wise, all business owners need to be aware of one key fact:
Compliant does not equal secure.
While compliance with the PCI standard is a good start, don’t confuse PCI compliance with the be-all, end-all of security. An attacker isn’t going to limit his or her attacks to only those items outlined in the PCI standard. With that in mind, business owners shouldn’t limit their security controls to only those items outlined in the PCI standard, either.
Your security controls need to be appropriate for your business.
Once you’ve completed the appropriate SAQ, it would be wise to have an open, honest conversation with your team regarding next steps. What are your most significant areas of exposure? What gaps should you remediate first? How are you going to balance your security budget with your other business expenses?
A few recommendations to keep in mind during that conversation:
- • If you don’t need it, don’t keep it. The best way to secure your organization against a credit card breach is to avoid any storage of credit card data. Consider outsourcing the credit card processing to a company that specializes in that services, transferring the risk to them.
- • Trust, but verify. Once you’ve implemented all of the preventative security controls you can think of (systems hardening, patch management, etc.), you’ll need to test those controls, and then test them again. By constantly testing for weaknesses in your defenses, you’re much more likely to find a security hole before an attacker does.
- • Be prepared for the worst. Security incident response can be frustrating and confusing, especially if you find yourself in the middle of an incident with no clear response plan. If you don’t have security incident response expertise in-house, you should have an information security company on your speed dial for just such an eventuality.
Security is a process, and any organization that chooses to integrate security into the foundation of its business will have a competitive advantage over its peers. Confidential data will remain confidential. Business information will remain trustworthy. Systems will remain online and operational.
Most importantly, security-minded organizations are much less likely to have to spend time and money cleaning up after a data breach incident.