So I’ll admit I’m relatively new to the PCI Compliance arena. That said, I’ve been working with technology and financial companies for the last 15 years and while I’ve seen topics come & go; PCI Compliance is here to stay. I’ve noticed some commonalities from the folks I’ve spoken with recently and I wanted to share some of my favorites.

 

1) PCI Compliance is not a revenue generator

Well, kind of. While the vast majority of companies I speak with realize they need to be compliant (and secure), many have a difficult time justifying the steps necessary to become compliant. Fact is that if you’re not compliant, the fines and penalties (among other drawbacks) you receive could prove to be disastrous.

 

2) I think we’re compliant

I hear this most often – and when I do, my mind keeps wanting me to ask,” You think – or – You know?” I’m sure I don’t need to go into the difference, but with the sheer number of breaches going on, I know which answer would help me sleep better at night knowing the card holder data I am responsible for is in an environment that is not only compliant, but secure.

 

3) I filled out my SAQ, so I assume I’m compliant

In actuality, you filled out your SAQ so you’ve claimed you’re compliant. You’ve just attested to your acquirer that you’ve met all of the standards, and you’ll be expected to be able to provide evidence to prove it when prompted.

 

4) I have So-and-So handling that, so we’re all set

Oh, why didn’t you just say so? Truth is that even though you think you’re doing what is necessary to be compliant, This Article on Breaches goes to show you that what you really need is to KNOW. In the article, the restaurant companies that had been breached (because of poor judgment on behalf of a vendor) all thought they were compliant, but ended up facing many hardships. In still another case of a restaurant being breached in MI, a company had to close both of its locations. My guess is, they too thought they were “all set”.

 

Takeaway:

If you think you’re compliant – you may want to think again, and get that validated with PCI Compliance Services so you know you’re compliant. Call your QSA, go online, call your security partner, heck – call me! In the end, we’re all consumers just as we’re stewards of our customers’ card data. While the card brands have done their best to make sure we protect card data through the PCI Security Standards Council, it really is up to us to ensure it. Sometimes achieving compliance is lengthy, messy, and a thorn in our side. Sometimes it goes absolutely smoothly. One thing for sure is while compliance may not specifically generate revenue, lack of compliance is a sure way to spend it. Between fines, forensics costs, and irreparable damage to the trust you’ve spent years building up in your brand – not to mention how it affects your customers – compliance suddenly seems to be a very wise investment. When we go to the store or online to make purchases, the very last thing we want to think about is whether or not our favorite shopping site is taking proper care of our own sensitive data. We just assume that they are, right?

 

RESOURCES FOR YOU

PCI DSS Requirements

PCI DSS Requirement 5.4.1: Anti-spoofing controls such as DMARC, which stands for Domain-based Message Authentication, Reporting and Conformance, Sender Policy Framework (SPF), and Domain Keys Identified Mail (DKIM) can help stop phishers from spoofing the entity’s domain and impersonating personnel. 

Clarification on eCommerce Outsourcing PCI DSS requirements 6.4.3 and 11.6.1

Unpacking the New PCI DSS Password Standards

Is Your Organization Prepared for PCI DSS Automation – Requirement 10.4.1.1?

What is the PCI DSS v4 Authenticated Scanning Mandate – Requirement 11.3.1.2?

What is the PCI DSS v4.0.1 Requirement for PoLP – Requirement 7.2.5?

PCI SSC Updates SAQ A: Removal of Key eCommerce Security and New Eligibility Criteria – Requirements 6.4.3, 11.6.1, 12.3.1

The New PCI DSS v4.0.1 Software Catalog Mandate – Requirement 6.3.2

How PCI DSS 4.0.1 Tackles Service Account Vulnerabilities – Requirements 8.6.1, 7.2.5.1, 8.6.2, 8.6.3, 10.2.1.2

Are You Keeping an Inventory of Cipher Suites and Certificates for the New PCI DSS – Requirements 12.3.3, 4.2.1.1?

How to Analyze An Attestation of Compliance (AOC)

PCI Compliance New Requirements and Targeted Risk Analysis (TRA)

 

RESOURCES & NEWS

Learn more about Penetration Testing and new exploits in HALOCK’s Exploit Insider.

The Dangers of Legacy Protocols

Exploiting API Endpoints

Abusing Default Credentials

Weaponizing Legacy Software

PCI Targeted Risk Analysis & DoCRA

https://www.halock.com/pci-compliance-new-requirements-and-targeted-risk-analysis/

 

HIPAA & Penetration Testing & Incident Response Plans

https://www.halock.com/are-you-ready-for-the-enhanced-hipaa-requirements-for-penetration-testing-and-more/

 

Top Threats in Healthcare

https://www.halock.com/top-cyber-threats-in-healthcare/

 

Cloud Security Risk Management

https://www.halock.com/prioritized-findings-and-remediation-in-cloud-security-reporting/

 

Penetration Testing Reports to Manage and Prioritize Risk

https://www.halock.com/a-threat-based-approach-to-penetration-test-reporting/