“We’re PCI DSS compliant!” Maybe, but are you still at risk?
When questioned if their payment data is secure, a common merchant response is: “We are PCI DSS Compliant”. However, data breaches continue to make headlines.
Those affected holding up the ‘PCI DSS compliant’ card, clearly doesn’t quite cut it anymore.
"We are compliant". What about secure and out-of-scope?
A lack of distinction between having passed a PCI audit and being secure continues to fuel hackers who can and will find your data vulnerabilities to make a profit.
So what exactly is the difference in being PCI compliant, being secure, and being out-of-scope (in plain English)?
Compliance: Showing you're able to
comply by proving that something is locked away and secure at multiple points
in time, e.g. proving for insurance purposes that your car is locked up in your
garage when you're not home. The insurance company come and check up on your
car once in a while.
Security: Having a measure in place to ensure something is locked up, e.g. having a garage to lock your car in, an auto-closing door which shuts every time so you don't have to remember to do it, and cameras to monitor any security threats.
De-Scoping: Removing the threat, by removing the value, e.g. you don't have a car anymore. If burglars break in, the car's no longer there and the threat is no longer an issue.
PCI compliant at certain points in time for auditing purposes doesn't equate to
being completely risk-free. If your contact center is 'PCI Compliant' at
certain points in time, but exposes agents or call recordings to card data, a
genuine risk of data breach still exists.
It takes just one contact center agent to write down cardholder data, or an IT system change affecting the call recorder, to constitute a data breach, resulting in serious financial impact for the contact center.
Just to enhance that thought: A recent CIFAS report found that in 2013, the proportion of staff fraudsters in customer call centers remained high, with 20% [of fraudsters across all sectors] reported to be working there.
card data from entering the contact center means from agents, call recordings
and if possible the entire contact center.
Eliminate card data from ever entering the contact center = Eliminate the risk
Compliance is Not The Complete Solution
Just because you pass a PCI audit and have a certificate to say so, it doesn't mean you're secure.
Verizon, one of the world's largest Qualified Security Assessor (QSA) practices, surveys their own QSAs each year, along with the firms to which they provide PCI services. In their 2015 PCI Report, findings revealed that less than a year after being validated, less than one third of the organizations were still fully PCI DSS compliant.
Surprisingly enough, of all the data breaches studied, not one single company was fully PCI DSS compliant at the time of the breach.
A prime example: Target, second-largest discount retailer in the United States, was PCI certified in September 2013 and breached only three months later. The data breach gave access to 70 million customer's credit card information and other customer data, racking up over £105 million in expenses.
Does This Really Matter to UK Businesses?
Although the PCI community and colleagues agree that the US is less advanced in PCI DSS and coping with card fraud, the UK is still affected. A remarkable example of a lack of knowledge, saw UK insurance company Staysure.co.uk receive a £175,000 fine for a data breach. The data breach involved an unidentified hacker gain access to 5,000 customers' details, and up to 110,000 live credit card numbers.
The growth in corporate data breaches means attackers are constantly seeking opportunities. Whether you consider UK businesses at more or a less at risk of data breach than the U.S., the question to ask is: Could your business really cope with six-digit fines, a reduction in sales and (not least of all) a tarnished reputation?
Imagine getting a burglar alarm fitted to your home. The company does a great…
Can you remember what you were doing a decade ago? A lot can happen in 10 years.