PCI Security Standards Council has put together a list of four common areas that retailers often get wrong about payment security along with advice on how to address these common vulnerabilities.
Four things retailers often get wrong about payment card security
- Forgetting about basic controls. Hackers often go after the lowest hanging fruit. Weak or default passwords or using outdated anti-virus software puts a bull’s-eye on your company’s back. Don’t be an easy target- make sure to replace default passwords with strong passwords and always maintain the latest anti-virus controls.
- Believing security can be outsourced. Often times, organizations have the mentality that you can outsource security. PCI stresses that security is always a shared responsibility—it can never be outsourced. PCI SSC created a Third-Party Security Assurance Information Supplement, which includes a roadmap for organizations to help them clarify each party’s role in the payment security environment.
- Expecting EMV chip to be a cure-all. There is no doubt that EMV chip technology will deliver on its promise to button down security in the card-present POS environment. What it won’t do is protect transactions in the card-not-present (online or over the phone) environment. Implementing EMV chip doesn’t do away with the need for secure passwords, patching systems, monitoring for intrusions, using firewalls, managing access, developing secure software, educating employees, and having clear processes for the handling of sensitive payment card data—all covered in the PCI DSS.
EMV chip migration is a great opportunity to look at point-of-sale (POS) device and terminal security, and for merchants to invest in equipment that provides the strongest security protections by using PCI PTS listed devices.
- Making compliance a goal over security. Organizations tend to focus on the compliances process instead of establishing long-term processes for maintaining the security of cardholder information. Ongoing security of cardholder data should be the driving objective behind all PCI DSS compliance activities, not just attaining a compliant Report on Compliance.