How to Check Credit Card Compliance (Correctly)
As another holiday season comes to a close both businesses and consumers alike are once again reminded of the importance of privacy and data security. The recent Target breach of some 40 million customer’s credit card data is the holiday story that seems to keep getting worse. The breach, according to a Target letter includes customer names, credit and debit card numbers, card expiration dates, and the CVVs (three-digit security code).
This unfortunate security breach is another reminder why having a proper information security program is of the utmost importance. Particularly, businesses that deal with sensitive data are subject to regulatory compliance laws that must be regularly revisited to meet the requirements. The Payment Card Industry Data Security Standards (PCI-DSS) come to mind as a primary focus on security and compliance for processing or storing credit card data. Over the past few years, security professionals have pushed for improved point-of-sale (POS) systems and payment applications.
The new standards for PCI-DSS have been written into the 3.0 release, which focuses on a more stringent requirement for payment applications. In the case of Target, some of the requirements written in the PCI-DSS standards must not have been compliant. A strong information security, risk management, compliance, best practices, and services are the keys to establishing a PCI-DSS compliant environment.
Many businesses, particularly smaller organizations have a difficult time achieving PCI-DSS compliance. A lack of resources, domain knowledge, or dedicated information security staff can all factor into the difficulties of meeting the compliance requirements of PCI-DSS.
How to Get PCI-DSS Compliance?
So what are some things that can be done if an organization that deals with sensitive data does not have the necessary resources to achieve PCI-DSS compliance?
First, have an independent IT security audit performed by a proven outside company against the PCI-DSS framework. An IT security audit will produce organizational risks that may be overlooked on the surface, but can shed light into the current state of the information security environment. Additionally, an IT security audit will have a proper action plan to remediate all out of compliance areas.
Secondly, adopt a formal information security policy that follows industry best practices and controls. Put in place a vendor management program that does due diligence before purchasing payment processing applications. Have follow up assessments to ensure that the infrastructure still conforms to best practices and the PCI-DSS compliance requirements.
These are all first steps to starting down the road of PCI-DSS compliance. Good IT governance is required to keep any information security program alive and producing results. The ultimate lesson to be learned from the Target breach is organizations need to be paying greater attention to the POS-related changes specified in the new PCI-DSS 3.0 standards.