Dave Waterson at SentryBay outlines the importance of strengthening PCI DSS compliance with a strong cyber-security culture
In the war against cyber threats, the primary defences of anti-virus and office firewalls are no longer sufficient on their own. Increasingly, this means moving away from a piecemeal approach towards a 360-degree vision – embracing a culture of security. Organisations and solution vendors must therefore work together to target the array of customer vulnerabilities to cyber-attack.
The Payment Card Industry Data Security Standard (PCI DSS) mandates that organisations maintain a secure network and systems to host transactions, including a properly configured network firewall to protect cardholder data, and restrict data access to those with a genuine business need – with PCI DSS compliance being one aspect critical to a valid cyber-security posture.
Even individual aspects are complex
The challenge is illustrated by the fact that nearly 31% of respondents to a SentryBay poll tell us PCI DSS is too complex and 24% criticise the processes as contradictory.
More than half in the same poll admit their organisation is either non-compliant or has previously failed an assessment. But they cannot put the task to one side with the revised deadline for complying with PCI DSS 4.0 approaching in Q1 2022.
Compliance with evolving regulatory and legislative mandates to continue protecting customers has become an increasingly thorny problem that all organisations, especially if they handle payments data, must solve.
At the same time there’s a high correspondence between those organisations struggling with PCI DSS and those that have experienced actual security breaches. Some 15% of respondents in our poll reveal that a security breach at their organisation in the past year was likely due to mishandling payment card information or similar.
Another 20% do not even know whether they have been breached via such mishandling of data. This is despite the fact some 38% of survey respondents recognise the dangers of email phishing while and 21% understand the potential for keylogging. Another 21% cite screen scraping (20.8%) and 20% spyware as important vulnerabilities used by cyber attackers to access customer or corporate data and intellectual property.
How to create a genuine culture of cyber-security
One useful way of answering the challenge is to think of security as a continuous process, rather than a singular entity that can be dealt with by deploying a point solution.
This is fully in line with the approach of the PCI DSS itself: achieving compliance through continual reassessment and remediation of problems when personal details are stored, for instance. Critical controls are tested more frequently, giving assurance at short notice that cardholder data is protected – recognising that security and compliance must go hand in hand.
Deciding the best approach means, therefore, layering and integrating complementary products and services. When based on fully fleshed out and considered policies, this can deliver flexibility and agility to mitigate and prevent cyber threats as they evolve, as well as continuing to proactively address compliance.
‘Chinks in the armour’, as it were, can be addressed as they appear since there’s no longer any need to alter an entire approach focused on a specific technology angle or way of working.
Get ready for both known and unknown threats
Defences can be revised and adapted in situ, including against the array of virtual-desktop threats, from applications to keylogging or DLL injection, on a desktop, mobile device, or thin client endpoint.
Organisations can thus realign their approaches for the ‘new normal’ of rising threats that we saw in the first half of 2021. An April cyber-readiness study by specialist insurers Hiscox found that the proportion of businesses targeted by cyber criminals in the past year alone rose to 43%, with more than one in four suffering from five or more attacks during the period.
In a hybrid workspace, with mixed device use on corporate networks including personal endpoint devices as well as company machines left unattended at home, attack surfaces are also increasing. Yet we all know that just a single click of an attachment sent in what looks like a familiar business email can open the door to malware that targets company data.
Security – an anywhere, any time process
Everything we’ve seen underlines the importance of an ongoing, holistic approach. Indeed, PCI Council guidance notes that by focusing solely on compliance, organisations may end up sacrificing security.
Businesses and other organisations must therefore consider the cyber-security challenge as a whole, adopting a culture that delivers best-practice compliance by focusing on cyber-security, and vice versa.
Dave Waterson is CEO of SentryBay
Main image courtesy of iSTockPhoto.com