Furthermore, while 94 per cent of respondents said they have heard of PCI compliance, and 66 per cent acknowledged that PCI applies to their organisations, only 21 per cent admitted they feel up-to-speed regarding PCI compliance requirements. Note that PCI explains that their DDS “applies to ALL organisations or merchants, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data.”
This points to poor cyber-security safeguards for those systems that process credit card payments and handle customers’ personally identifiable information (PII).
Almost half of respondents working in organisations with POS systems indicated that they cannot adequately monitor and control access to critical data on their endpoints, suggesting that endpoint systems and payment card data are largely unprotected and vulnerable to being breached.
Additionally, only 20 per cent of those with POS systems could definitely say that their systems have not been targeted by cyber attacks, and 47 per cent admitted that they have no way of being certain.
And only ten per cent of the IT budget is being spent on meeting new PCI 3.0 requirements (in organisations where PCI is relevant). Data breaches can lead to catastrophic consequences, and organisations must prioritise compliance regulations and ensure their house is in order.
Christopher Strand, senior director compliance for Bit9 + Carbon Black, said: “In an industry fraught with identity theft and cyber crime, it’s essential that companies protect their customers’ credit card data and personal information. This can only be achieved by putting in place a positive security model that will monitor and control all servers, endpoints and critical data. Whilst the PCI regulations may seem intimidating, the results of a breach far outweigh the effort involved in ensuring your organisation is compliant.”
Here are the PCI requirements:
- Build and maintain a secure network: Install and maintain a firewall and avoid using vendor-supplied system passwords;
- Protect cardholder data: E.g. Encrypting transmission of cardholder data across public networks;
- Maintain a vulnerability management program: Regularly use and update antivirus software and maintain secure systems and applications;
- Implement strong access control measures: Restrict who has access to cardholder data and assign unique ID’s to each person with computer access;
- Regularly monitor and test networks: Track and monitor access to network resources and cardholder data and regularly test security systems; and
- Maintain an information security policy: Address information security within your company.
Share this story