Summer holidays: don’t take your eye of the PCI DSS ball

pci dss

The summer months are traditionally a time when hard-working people take a break. Those left in the office can end up feeling over-stretched or less-motivated than normal. But it is not a time for anyone to take their eye off the ball. Visa has issued new advice on how to Play it Safe this Summer, emphasising once again that working with the right partners is ‘crucial to protecting the cardholder environment’ and ensuring that PCI DSS compliance is met and maintained.

Produced for the US market, Visa’s analogy is based on the principles of baseball but it goes something like this:

First basefollow secure procedures

Ensure service providers follow secure procedures when using remote access to reach your environment. Service providers accessing a merchant’s Point of Sale (POS) system using remote access must follow secure procedures and those providers should go through the QIR certification program if eligible. This protects against data breaches and helps to facilitate compliance with the Payment Card Industry Data Security Standard (PCI DSS).

Second base – change passwords

Change all default passwords to strong, multivariable passwords. The Verizon Data Breach Investigations Report (DBIR) found that 81% of breaches in 2016 occurred because criminals used either stolen and/or weak passwords. Requiring all employees to create complex passwords, and to change them often, adds a critical level of security to the environment.

Third base – ignore suspicious emails

Remind employees to ignore any suspicious emails and report them to IT. The DBIR found that 1 in 14 users were duped into opening an attachment from a phishing email and ‘95% of phishing attacks that led to a breach were followed by some sort of software installation’. Informing employees about phishing schemes will help prevent security lapses in the future.

Home run – partner with a Registered Service Provider

Partner with a Registered Service Provider. Soha Systems Survey on Third Party Risk Management found that 63% of all data compromises involve a third party vendor. Service providers listed on the Visa Global Registry of Service Providers meet Visa’s requirements for validating compliance with industry security requirements. Using these registered providers helps to secure the promise of a trusted payment system.

PCI DSS – seek professional advice

Establishing an organisation’s exact PCI DSS requirements can be a complex business and professional advice should be obtained.

SRM is an accredited QSA Company. Our team of QSAs can conduct your PCI assessment to validate and maintain your compliance with the PCI DSS. We have a wealth of experience in helping companies understand not only how to comply but how to reduce the scope to make compliance each year as simple as possible. From understanding how to complete the SAQ document right through to full PCI assessments for FTSE 100 companies, SRM has the qualifications and expertise to complete the task in a robust and cost-effective way. We also have an established Retained Forensics service which identifies and mitigates the risk of a potential breach.

http://blog.srm-solutions.com/hot-water-and-pci-compliance/

http://blog.srm-solutions.com/does-outsourcing-card-processing-make-you-pci-compliant/

http://www.srm-solutions.com/services/pci-dss/

http://www.srm-solutions.com/services/retained-pci-forensic-investigation-pfi-service/

Posted 2 weeks ago on · Permalink