Read the financial news on any given morning and you’ll find a story about a data breach costing a TK organization millions. Some companies don’t take PCI compliance seriously and don’t fully comprehend the risks of ignoring compliance. In fact, a recent ControlScan survey discovered that 69 percent of Level 4 merchants (the smaller businesses on the spectrum) don’t believe they will fall victim to a data breach, and nearly half of the survey respondents had little or no familiarity with PCI DSS.
Many large organizations know better but still must take steps to ensure their vendors are following PCI compliance, particularly if third parties are handling an organization’s payment data. A company’s efforts to protect against data breaches won’t mean a thing if customer records are compromised due to the negligence of a vendor. Here are six recommendations for maintaining PCI compliance with the new 3.0 standard:
1. Make no assumptions
If an IT person at a vendor tells you a new piece of software or a revised process is following PCI compliance guidelines, should you just take their word for it? Third parties may think they are following PCI compliance best practices because they use anti-virus software and outdated encryption methods, but without a thorough auditing process and careful risk screenings, you can’t be sure. Be sure to assess your vendors against the standards!
2. Don’t store what you don’t need.
Credit card numbers are the Holy Grail for cybercriminals. From a merchant’s standpoint, the level of protection needed to guard such data is immense and the consequences of a breach are crippling. So if storing cardholder data isn’t necessary, don’t let your vendor do so.
3. Upgrade to passphrases.
PCI DSS 3.0 recommends that merchants consider using passphrases instead of passwords. Passphrases, are tougher to decipher than even the most complex passwords and will help in efforts to achieve PCI compliance.
An alternative to using a “password” is to use a “passphrase”. A passphrase is a sequence of words strung together to create a “password”. To do this, you need to erase your traditional thoughts of building a password. Instead of worrying about how many characters your password needs to have, consider multiple words that can be combined to make a phrase. A passphrase is made up of four or five short words, put together in a way that makes sense to you. While your “password” may be longer (which makes it more secure), it will be easier for you to remember. Here are some examples:
“My dog just turned eight.” = “MyDogJustTurn-D8”
“Look at all the snow today!” = “LookatAlltheSnow2day!”
“I love to go fast in my car!” = “Ilove2goFastInMyCar!”
Passphrases must meet all of the requirements of Traditional Passwords. One final tip, you should choose a phrase that you can easily remember; however to increase security avoid common phrases, lyrics, titles, and quotations. Your passphrase should be words that you put together and have meaning to you.
4. PA-DSS
Along with the PCI DSS update to 3.0, the Payment Application Data Security Standard, or PA-DSS, was updated this year. These guidelines address applications and software used for any part of an electronic transaction. Becoming familiar with PA-DSS 3.0 is imperative, but never assume that just because an application is following PA-DSS guidelines that it is also in line with PCI compliance standards. Check both.
5. Simplify.
Achieving PCI compliance can be a detailed task, but with enough advance planning and due diligence, it doesn’t need to be. From a vendor risk management standpoint, using an automated solution can streamline the assessment process and get your third parties all the more closer to compliance in much less time.
6. Don’t settle for complacency.
Many merchants are audited once a year for PCI compliance, but one positive screening doesn’t mean a vendor is compliant forever. Technology changes, processes are updated, cyber-attacks become more sophisticated. Staying vigilant and working with your vendors toward PCI compliance can reduce risk and protect the cardholder data of your customers.
What does your company recommend to vendors trying to achieve PCI compliance?