Paying for goods and services has become more fluid due to the use of debit and credit cards, but this ease of access has made it easier for hackers and thieves to get a hold of financial resources. When this form of payment can be used to make purchases on the internet, mobile devices and stores, consumers are not always thinking about the potential risk.
The third version of the Payment Card Industry Data Security Standard (PCI DSS) provided new safety requirements for merchants, service providers, payment processes and financial institutions–organizations have until December 31, 2014 to fully implement these measures.
"[T]he new PCI DSS 3.0 appears to be moving from a security check box posture to a more holistic risk management approach," Bernard Zelmans, general manager at FireMon, a security management firm, told PC World. "This will hopefully entail a more security centric approach to PCI compliance rather than the least common denominator approach of earlier versions of PCI."
Stealing an individual's credit card number is easy, especially when a point-of-sale system is involved. Though the information is not permanently stored, the source reported that attackers have compromised a business' security measures "because their administrators used easy-to-guess passwords for remote access." This strategy to perform a data breach was one of many ways the Shadowcrew hacked NASDAQ, JC Penney and other prominent businesses for seven years.
While measures have increased for companies that regularly use credit cards as a form of payment, mobile security with cards is not a part of PCI DSS 3.0 standards—though guidelines for mobile data security was released. Businesses that depend on payment on these devices can develop their own business continuity plan to safeguard their client base from data breaches.
Though the PCI DSS is available, PCWorld explained that organizations can do a lot more to increase security, as these standards are meant to provide the bare minimum of controls. Some of the requirements like closely monitoring antivirus products, intrusion detection systems and firewalls, sounds like things that should already be happening, but time and again gaps in these areas have led to data breaches.
"Periodic reviews and communications should be performed to confirm that PCI DSS requirements continue to be in place and personnel are following secure processes," the standard stated.
Despite the December 2014 deadline, the new version of PCI DSS will go into effect on January 1, 2014. The PCI Security Council understands that implementing the new changes will take time. Business owners who want guidance on increasing their disaster recovery efforts to offset damage from data breaches may want to consider guidance from business continuity consultants.