Payment Card Industry Data Security Standards
You probably don’t need to be sold on the importance of securing financial information, particularly credit card information. There have been several high-profile data breaches of credit card information in recent years with the most prominent being the theft of more than 40 million numbers of Target’s customer data. The payment card industry is a self-regulated industry and as such, the burden of defining and enforcing data security standards falls upon its members. The data security guidelines for the payment card industry are governed by the Payment Card Industry Data Security Standards or PCI DSS.
The topics covered in this series of training videos revolve around the essential elements of PCI DSS. These are basically the why, what, how, and who and consist of 12 essential requirements or elements. Securing cardholder data requires strong enforcement and begins at the top of the organization. This requires buy-in by senior management in order to have any hope of succeeding.
We’ll examine the various sources and types of attacks targeting cardholder data along with the policies and procedures used to thwart them. Attacks can originate either internally or externally and can be both intentional (malicious) or unintentional. Many internal threats posed by employees are unintentional such as lost laptops or falling victim to scams and phishing exploits.
Securing cardholder data falls under the umbrella of risk management, which consists of risk assessment, risk analysis, and risk mitigation. These methods are part and parcel of the 12 elements of the PCI DSS framework and are discussed in detail in the last two videos of this series. In essence, these elements are basic, common sense best practices of network security and secure data handling.
One of the fundamental requirements of the PIC DSS framework is to build and maintain a secure network. This consists of utilizing firewalls, routers, and other devices to protect the network and its resources such as cardholder data. And it’s not sufficient to simply deploy these devices directly out-of-the-box as easy and tempting as that may seem. Default settings on these devices must be reconfigured to something much more secure.
Best practices regarding securing data both at rest as well as in transmit must be followed. The rules of data security that follow the IAAA principles of identification, authentication, authorization, and access control must also be followed. This leads to maintaining an audit trail of data access and controlling who (the subject) has access to what resources (the objects) and what they are permitted to do with them once they have acquired access.
An organization is only as secure as its weakest links and in most situations these links are software and people. This requires instituting secure development standards and enforcing best practices for coding. The education of employees regarding proper data handling procedures as well as ensuring that they are cognizant of the social engineering threats aimed at them is critical.
Finally, all of these standards, internal policies, and procedures must be monitored on an on-going basis to ensure that vulnerabilities and risks are identified and then mitigated. The bad guys don’t rest and it’s essential that organizations remain ever vigilant in such a hostile environment. The costs are too high both financially as well as in terms of lost trust and reputation to ever become complacent.