If you’re making mistakes in known territory, then you’re never actually going to push forward.
Credit card networks process thousands of transactions per second. Even though this very common activity takes place constantly and enables the entire internet economy, it still needs to meet certain security standards in order to be satisfactory for use. But not everyone is an e-commerce or payments whiz who thrives on solving issues related to keeping credit card numbers encrypted.
Whether you like it or not, any business that handles credit card or debit card transactions needs to meet a certain standard of payment card industry (PCI) compliance. Whether your bespoke internet shop sells specialized computer motherboards or artisanal hand-carved wooden boats, it’s expected to handle customer data in a secure and compliant fashion.
Whether you sell high tech or low tech, PCI compliance is right for you.
Getting your operation to a PCI-compliant spot is probably more achievable than you think it is. This process is mostly about establishing and maintaining a strong foundational level of organization-level cybersecurity controls, especially as it pertains to customer data.
PCI compliance works as a foundational layer of cybersecurity functionality that organizations can deploy to keep its network safe from a certain amount of known attacks. It only becomes more effective as its updated standards are upheld into the future — it’s continually updated and refined to be a strong tool for pushing back against malicious cybercriminals.
Compliance allows for an environment in which businesses can enjoy steadier and more predictable outcomes — they get to write off a certain amount of expectation of harm and gain a cybersecurity-compliant edge over those businesses making do without. But it’s tough to run a business when its private data goes public against its wishes.
To that end, companies wanting steady footing on the journey to PCI compliance would do well to steer clear of the following known mistakes. Don’t let these hazards take you down.
Not believing that cybersecurity threats are real, or not taking compliance seriously.
Not only are cybersecurity threats real to any organization collecting data, but successful attacks are occurring more frequently than they used to. Gaining PCI compliance is a mark that you do indeed understand cyberattacks to be a potential threat, and your organization has taken steps at the IT level to prepare for them.
Writing off known threats is like driving blind. If you can’t see where you’re going, you’re probably not going to like where you end up (or the status of your vehicle).
Robust organizations engineer springy connective tissue between their cybersecurity teams to all other teams in order to establish some degree of knowledge transfer between them. This kind of holistic approach to employee cybersecurity education can pay dividends in the future.
Thinking that you don’t have to be compliant if you don’t store credit card details.
Unfortunately you are still beholden to PCI standards here. The specific regulations don’t just apply to businesses storing credit card details, but touches any business that might transmit and process those details. Whatever external system you rely on in order to generate valid credit card transactions, it’s in your interest to ask PCI compliance questions about the process and see what kind of feedback you get.
Even when you’ve outsourced all your card processing needs, your website performing the technical redirect necessary to finalize a transaction can land within scope for a small number of controls. It’s still possible for hackers to mess with people’s data even if your organization doesn’t store it.
Completing the wrong compliance self-assessment questionnaire.
Companies seeking a comfortable on-ramp to the world of PCI compliance might administer themselves a test per directions from the PCI standards body. High-quality self assessments can be as accurate as paid assessments conducted by a third-party assessor.
But there are multiple versions of this self-assessment questionnaire, depending on a business’s specific niche and statistics. People may commonly fill the wrong one out in earnest and then depend on the results of this faulty, inapplicable assessment to plan the way forward.
Taking a service provider at their word that their offering is compliant.
Choose your service providers wisely, and don’t be afraid to establish the habit of always checking to see if something might be incompliant. Good service providers can provide high-confidence documentation of their compliance. It’s definitely a bad look if they send over other standards like ISO 27001. This standard isn’t compliant and implementation can leave businesses vulnerable.
Don’t forget that service providers are in business to make money just like any other business. Unethical service providers might say whatever it takes to convince you that their offering is compliant and close a sale. Beware of salespeople and make sure that your satisfied purchase decision only takes place after you’ve pondered issues of compliance.
Ignoring the warning signs that you’re not compliant.
In some cases this is about paying attention to literal warning signs that pop up on your computer. Pay attention to any indicators that you might no longer be compliant. Taking notice and spending some money to solve a problem up front can save you major expenses and headaches down the road.
If your hosting provider doesn’t clearly state that its solution is PCI-compliant, then that should register as a warning sign worth investigating. If you’re not making security updates within a few weeks of a new vendor release coming out. Perhaps your organization makes sloppy use of shared accounts that are cumbersome to access and use, but still gain third parties a potential way in.
Employees should have a certain base-level cybersecurity sense. They should know the value of long, complicated passwords, and perhaps even go so far as to have a documented incident response plan.
Companies can demonstrate where they fit within history by avoiding so many previously known historic pitfalls. By sliding gracefully through known challenges, companies can move on to the big work of making new mistakes and pushing forward.
John Shin is the Managing Director at RSI Security and has 18 years of leadership, management and Information Technology experience. He is a Certified Information Systems Security Professional, CISM, and Project Management Professional (PMP).