Embrace summer sales and help prevent credit card fraud with PCI
The upcoming Memorial Day weekend marks the traditional start of summer in America. All summer long, families will take vacations to places like New York City, Disney World and California beaches. Friends, couples, empty nesters and more will board planes and cruise ships or hit the open highways in search of fun in the sun.
In every case, people will pay for things like gas, airfare, food, entrance fees, sunscreen, souvenirs, merchandise, and more using their debit and charge cards. It’s a bonanza for retailers. It’s also a headache for all the merchants who accept payment cards.
According to VISA, 80 percent of U.S. payment fraud is caused by electronic cardholder data theft. It’s why the PCI DSS standard, a set of security requirements designed to reduce credit card fraud, exists. However, compliance with PCI has been slipping recently. Verizon’s 2018 Payment Security Report found that only 52.4 percent of organizations maintained full compliance with PCI in 2017 compared with 55.4 percent in 2016.
According to the report, the sector with the worst record for PCI compliance is hospitality. The service industry includes hotels, food, drink service, theme parks, cruise lines, anything tourism related. Vacationers pay with credit and debit cards to service industry merchants that are least adept at securing the transactions.
If you’re a merchant struggling with PCI compliance, take advantage of the calm period before good summer business and the heightened risk of cardholder theft. Here are five practical steps you can take and implement this spring.
Conduct a risk assessment
Get started by assessing your payment card system. Conducting a risk assessment lets you know where things stand. Assign risk ratings to discoveries, enabling you to prioritize them for remediation or assign to a mitigation plan.
Conducting a risk assessment lets you know what’s at risk, where you’re vulnerable, and where controls, policies and procedures could alleviate the risk.
Check your control environment
Having basic security controls is essential for payment card security. A lack of these controls is the top reason many organizations fail their interim assessment for PCI compliance.
Periodically perform control testing and remediate any findings. In an ever-changing threat environment, the challenge is improving the control environment.
Leverage policies and procedures
A well-run policy and procedure program can govern processes to meet PCI compliance requirements. The trouble is, such a program often interrupts people’s daily responsibilities.
By seeing PCI compliance as an ongoing concern rather than an annual event, management can get on board with organizational rules that support compliance efforts.
Manage network vulnerabilities
PCI compliance requires vulnerability scans. Done one lately? Many discovered vulnerabilities involve the misconfiguration of back-office systems and assets like web servers.
Your best bet is to continuously monitor the configuration of IT assets and analyze collected data against authoritative benchmarks like CIS, ISO and NIST. On that note, we have a platform that does that work for you.
Assess and manage service providers
Don’t forget to assess and manage service providers that help process credit card transactions. As VISA noted in its threat landscape review, data breaches have shifted in the past three years to e-Commerce and third parties. With any risk that can lead to a data breach, it calls for regular assessments and oversight.
That’s five practical steps you can take this spring to get closer to PCI compliance. Summer sales will be here before you know it. Get those transactions secure and take care of the vacationing customer. Do so, and they’ll be back next summer.
NSCC members face a new compliance requirement: cybersecurity confirmation. It sounds easy, complete a form, but risk is high. Here’s guidance.
Compliance departments are seriously challenged these days. As business swirls in response to COVID-19, compliance has taken a back seat. That can lead to trouble—violations, fines or both—due to missing deadlines. Management, in a questionable move, may ask compliance to do something taboo. Instead of reading a half empty glass post designed to help compliance deal with these challenges, they instead get a half full glass post that is brimming with optimism for compliance’s role during COVID-19.
Learn about how HIPAA Compliance plays a role in protecting against cybercriminals.