PCI Compliance 'Should Be Government-Enforced Regulation'
Article date: Mon, 12 Jan 2015 09:50 GMTPCI compliance should become a legal requirement for firms trading online according to a panel of security experts at a debate in Manchester. The panel, gathered at hosting firm UKFast to discuss the imminent changes to the PCI accreditation, explained that businesses are much less likely to experience a cyberattack if they are protected. Mike Henderson director of insurance specialist Riskbox, said: "If you're a burglar, are you going to burgle a house with an open window or are you going to go for Barclays? Well it makes sense that actually you're going to go for the easier jobs. "That's what hackers will tend to do, and that's what people need to be aware of. Don't let your company become an easy target for hackers. Make sure you're PCI Compliant." Lawrence Jones, CEO of cloud and colocation provider UKFast, said: "Ten years ago, people were only putting websites on the internet. Now people are putting everything on the internet and paying for more and more online. The more data we put on it and the more we make financial transactions online, the bigger the threat of attack becomes. "While it's not a government enforced regulation, businesses are opting to continue trade without it and taking a big risk in doing so. A data hack can take an SME from success to non-existence because of the irreparable brand damage it can cause." Darren Ratcliffe director of Redstar Creative believes the reason behind this is that the majority of SMEs are uneducated about PCI Compliance, which could end drastically for their company's reputation. He said: "Most SMEs don't even know the basics in PCI compliance. SMEs need to be educated about this. Brand damage is irreparable, whatever department you're in, you should know about it. It's important to be educated about it." Here are the panel's top five tips to stay PCI Complaint since the accreditation changed at the start of the year:
- Pen Testing: You now you need a set method in place, agreed with pen testing companies. The method needs to be documented and followed, and must adequately test the control around securing cardholder information.
- Inventorying system components: You must keep an inventory for everything from hardware (virtual or physical hosts and network devices) to software (custom, commercial, off-the-shelf applications); everything has to be documented, describing the function/use for each.
- Vendor relationships: Businesses will need to provide explicit documentation about which PCI DSS requirements are managed by vendors vs. the organisation itself. For example, if an organisation uses a hosted data centre vendor, the physical access restrictions of that data centre might be managed by the customer organisation. All of this also includes the controls they manage which should help businesses, and businesses should insist on seeing this before using any service provider.
- Malware: Merchants need to identify and evaluate evolving malware threats for systems that are considered to be not commonly affected by malicious software; just because it hasn't been hacked, doesn't mean it never will be.
- Physical access and point of sale: Merchants must control physical access for on-site personnel - to make sure that access is based on individual job function and revoked immediately upon termination. Requirement 9.9 states that merchants must "protect devices that capture payment card data… from tampering and substitution".
print this article.Return to Press Releases