Nov 20 2014
Security

4 Steps to Keep Customer Credit Data Safer

Is your business one of the 11 percent that fails to meet PCI DSS requirements?
by

Mike Chapple is associate teaching professor of IT, analytics and operations at the University of Notre Dame. 

A recent study by Verizon revealed that only 11.1 percent of companies subject to the Payment Card Industry Data Security Standard (PCI DSS) actually comply with all 12 requirements. Any business that accepts one of the major branded credit cards is subject to the scope of PCI DSS, but here are some common areas where companies fail to achieve compliance, and practical tips for getting them right.

1. Perform Penetration Testing

The latest iteration of PCI DSS, version 3.0, updates penetration testing requirements, providing more details on their scope and methodology. (The new requirements are effective June 2015.) Such testing must include network layer and application layer evaluations. Organizations subject to PCI DSS must perform this testing at least annually, and after any significant change to the environment. In all cases, testers must be professionally qualified.

2. Follow Through on Vulnerability Scanning

Requirement 11.2 mandates quarterly scans following any significant network changes, performed from both an internal and an external perspective. The challenge here is twofold: follow-through and record keeping. It is not sufficient to simply perform scans. You must scan, fix vulnerabilities and rerun the scan until it shows clean results. Maintain records for each scan and provide four passing quarterly scans for the preceding year.

3. Patch All Systems

Applying vendor updates to operating systems and applications is a time-consuming process that requires coordination and testing, but it provides a very high degree of security control by correcting known vulnerabilities with vendor-supplied patches. Requirement 6 specifies that critical security patches must be applied within a month of release. Automation is key here. Adopt system configuration management software to track patches and report noncompliance.

4. Establish a Continuous Compliance Process

The PCI DSS requirements in these three areas are long-standing, and it’s hard to imagine that any organization simply is unaware of them. Why do so many companies fail these tests? Because each requires ongoing action. Remember, compliance is not a one-time or once-a-year activity but a continuous process that requires care and feeding throughout the year.

Jupiterimages/Getty Images

More On

Related Articles

Close

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT

Subscribe Now