Helping Companies Protect Payment Card Data

Jonathan Trull, Chief Information Security Officer

This week we are taking a slight diversion from our DevOp series and focusing instead on the Payment Card Industry’s Data Security Standard (PCI DSS).  Verizon recently published its 2015 Compliance Report.  While the report found an 80 percent increase in the number of companies that are validated as PCI DSS compliant, four out of five companies are still failing, which means progress is slow.

Now, I’ll be the first to admit that compliance does not automatically lead to good security, but regulatory compliance continues to be a big driver for spending and resources in the c-suite.  At Regis, one of our goals is to train future information assurance leaders to be their company’s trusted advisor.  So, the following are a few helpful steps you and your company can take to better protect payment card data.

PCI 3.0:  Get to Know the Latest Requirements

PCI DSS 3.0 went into effect earlier this year and aims to drive organizations to not only consider security measures when dealing with payment card data, but also building security practices into daily operations.  The best thing about PCI requirements is that they provide an excellent checklist for protecting cardholder data.  PCI 3.0 includes increased education and awareness due to the evolving nature of the threat landscape, especially when it comes to passwords, which are still a weak point for many organizations.

Implement a Risk-Based Approach

Unlike previous versions of PCI DSS, 3.0 emphasizes risk-based security.  Companies must look at their current strategies and vulnerabilities to determine and prioritize the associated risks within their organizations.  A risk-based approach helps eliminate the constraints security teams face and provides them with the tools necessary for prioritizing and remediating vulnerabilities based on risk.

Protect Stored Card Data

First and foremost, don’t store card data unless you absolutely must.  However, if your organization does store sensitive credit card data, keep it to a minimum and add additional controls, especially encryption, to prevent access to the data.  When encrypting data at rest, use strong and validated cryptographic modules and algorithms and ensure that the keys used for unencrypting the data are tightly controlled and protected.

 Regularly Test Security Systems and Processes

PCI compliance should not be seen as a point-in-time assessment to achieve annual certification.  Rather, it should be managed on a continuous basis and embedded into a company’s day-to-day business operations.  An annual certification doesn’t guarantee that you’ll be in technical compliance weeks or months after certification.  New vulnerabilities appear daily due to flaws in software, faulty configuration of security tools and applications and even human error.  As such, you must continuously assess, remediate and report your organization’s compliance with PCI requirements.

The requirements of PCI DSS are clear, but take work to accomplish across an organization.  The above are a sampling of some best practices that can help you and your organization obtain and keep PCI compliance.

Interested in learning more about a master’s in information assurance?  Request more information or call us at 877-820-0581.