How to Avoid These Five PCI-DSS Pitfalls

Kudos to you for taking credit card data security seriously! You’re likely feeling good about taking that big step to properly secure your customer’s credit card data by becoming PCI DSS accredited. And you should! However, did you know that compliance alone does not necessarily guarantee data security? Here are five things to look out for to ensure the credit card data is truly secure and that you don’t find yourself caught in one of these common pitfalls.

1. Failing to review firewall rules and perform penetration segmentation tests every half year

According to the PCI DSS standard, service providers must review firewall rules and perform penetration segmentation tests every half year. Though most companies remember to do the PTs leading up to the audit at the end of the year, they often fail to do the proper checks mid-way through the year. Mark it in your calendar so you don’t forget these important steps in your PCI compliance!

2. Failing to Manage Vulnerabilities

As part of the PCI DSS standard, vulnerability checks need to be performed on a quarterly basis. Additionally, any vulnerabilities that are found need to be remediated during the same quarter. Failure to do so leaves credit card data vulnerable and increases the chances of a security breach. Unlike the initial certification which requires a vulnerability check during the last quartey only, when being recertified, checks are required on a quarterly basis.

3. Improper Scoping

When it comes to PCI the ‘scope’ is the cardholder data environment (CDE) and includes all of the systems, people, processes, and technologies that handle cardholder data. It is important to note that systems that support & secure the Cardholder Data Environment must also be included in the scope of PCI DSS. Examples include antivirus, patch management, vulnerability scanners and the like.

4. Storing SAD (Sensitive Authentication Data) After Authorization

During the payment process, service providers collect Sensitive Authentication Data (SAD) to authorize the payment. However according to PCI Regulations, you are only allowed to use SAD strictly to process the payment and may not store the data after completing the authorization.

5. Addressing PCI DSS Compliance During Audit Period Only

PCI should be part of your annual work plan and not reserved for a once-a-year security check. In order to be compliant and truly keep sensitive credit card data secure, the requirements delineated within the PCI DSS Standards should be followed and managed throughout the year.

Why Do I need to be ISO 27001 Certified?

Have you been thinking about having your organization ISO 27001 certified but not sure if it’s really “worth the hassle?” For those less familiar with ISO 27001: 2013, it is the global information security standard that delineates the best practices to manage information security risk.

Below are 4 items to consider before making your final decision.

1. It’s good business!

Being accredited by ISO 27001 gives you a competitive edge and is proof to existing and future customers that you are taking a proactive approach to protecting their data from information security threats. Winning or losing a tender can weigh heavily on whether or not you have this certification. Being ISO 27001 certified expedites the sales cycle, rather than stalling it due to compliance requirements that have not been met. Lastly, access to global markets may also be dependent on whether you are certified, due to ISO 27001 requirements in some countries.

2. Manage risks to safeguard data & intellectual property

Maintaining data privacy and other assets is a top priority for most organizations, especially for those that are holding private client information. ISO 27001 has set up the most systematic approach to identify, store, access and manage this data safely. By utilizing the ISO 27001 method of safeguarding data, the organization greatly reduces the severity of threats on its information.

3. Avoid financial losses and penalties associated with a data breach

Are you worried about how much ISO 27001 accreditation is going to cost you? Well, opting not to get accredited can cost you a lot more in the long run! You need to weigh the cost of compliance against the cost of potential fees associated with fixing a data breach as well as possible interruption of business.

4. Improve your processes

Companies are growing and changing fast and before you know it roles and responsibilities relating to data and other assets get blurred. As part of the process of ISO 27001, definition of roles and responsibilities are clearly spelled out thereby strengthening the organizational structure of your organization and allowing for clear and concise steps going forward.

Being ISO 27001 certified forces your organization to take a hard look at what’s working and what’s not when it comes to information security and create a clear and concise roadmap to improve processes going forward . The benefits of this process extend not only to the information security of the organization, but also opens up doors for increased revenue going forward.