Although not all payment processing organizations meet PCI DSS standards, and not all are required to, most reputable payment card companies require that their payment processors meet the requirements. One such organization is Visa, who will not authorize a payment processor without that company validating PCI DSS compliance. Visa’s position in the market means that exposing themselves to the greater liability risk of working with a processor that does not meet PCI DSS standards, may be devastating to their business. The PCI DSS standards are all about risk reduction, and following are examples of what the risk reduction process looks like within an organization that is PCI DSS compliant.
Preventing a data breach is one of the primary objectives of PCI DSS; therefore, the program requires businesses to add a state-of-the-art firewall to their database, since firewalls are commonly accepted as a first line of defense against most of the threats that are sent over the web. Beyond just installation of a firewall, the standardization requires that no enterprise use default hardware or software passwords. Base or default security software that accompanies hardware devices is also not recommended.
To further prevent breaches, processors are also required to use cutting-edge software that automatically encrypts each customer’s information. However, encryption algorithms may become obsolete. Therefore, higher end encryption programs periodically modify the type of encryption they use in order to prevent attackers from breaking the codes.
The PCI DSS standards also recommend that a processor set up scanning software at multiple levels, and most notably at the point of download. Given that the end user is a primary vulnerability to data breach, the standards suggest that any download be scanned for potential malware prior to it actually being installed on the computer. Scanning software also has the ability to notify administrators if malware has made its way through in the download.
Another common layer in preventing breaches is actually to have a breach performed intentionally, in the form of a penetration test. A PCI DSS compliant organization will employ a third party cyber security organization to actively attack their network to try and identify weaknesses or vulnerabilities. This type of operation should be performed regularly, as systems, applications, hardware and software are typically updated regularly. Once the results of a penetration test are complete, these results are presented to processor company’s management in the form of a report, and are then acted upon by either the organization, or the third party (penetration testing) company in order to patch the vulnerabilities.
Internal Employee Guidelines and Privacy
In 2011, the Payment Card Industry Security Standards Council created a policy prohibiting call centers from storing recordings that contained a cardholder’s information if the audio files would be accessible to multiple users. Given that audio files are often the primary source of customer personally identifiable information (PII) within a call center, this practice helps to reduce the risk within the specific call center environment.
To further protect an individual’s data, the PCI DSS indicates that a payment processor company should only show a customer’s data to employees who play a critical role in the payment collection process. The organization will typically assign an identification number to each designated employee. Software is then installed within the organization to track the activity of the designated employees. If a customer’s information is compromised, the business can view a list of employees who accessed the data prior to the breach.
Although PCI DSS is not mandated for all payment processor companies, and by no means is it perfect, it does play a positive role in reducing risk for the card companies, and for the customers. It provides a guideline to companies who handle individual’s personally identifiable information, and without those guidelines, it would be all too easy for potential hackers and criminals to access valuable data which often ends up for sale on the dark web.
About the Author
Ryan J Corey is CoFounder of Cybrary which is a free online cyber security training platform. Cybrary provides cyber security classes from entry level to advanced. Cybrary also provides enterprise organizations with security training classes such as End User Security Awareness.