The Payment Card Industry Security Standards Council (PCI SSC) has been overseeing the credit and debit card payment industry for years, and in trying to keep up with internet security and data protection standards, the governing body has released some updated guidelines and tips for risk assessments going forward.
BankInfoSecurity said there are specific areas that the council targeted with this release, reminding merchants that card data is only as secure as the weakest link in the payment chain. This means as safe as any cardholder can be, they will only truly be kept safe is companies are following PCI guidelines and correctly handling this credit card information, as well as keeping its systems as updated as possible.
"The standard requires an annual risk assessment, because the DSS validation is only a snapshot of your compliance at a particular point in time," Russo said. "Performing a risk assessment at least annually will help you identify the security gaps and address them. The council received a lot of requests for clarity here. We hope the guidelines help them in their efforts to establish an annual process."
Organizations currently must perform a risk assessment on a yearly basis, but new recommendations from PCI said a formalized risk assessment methodology should fit the culture of the business, identify emerging threats and vulnerabilities and establish clear individual accountability.
Common threats must be addressed
While businesses must keep a pulse on what kind of new threats are coming around, PCI is sure to note that common threats must be the ones that are most heavily guarded against. Guidance from PCI said companies will need to define and document their methodology, identify individuals who are involved and assign them roles and responsibilities in data protection.
Outside of the common threats, BankInfoSecurity said there were 35 threats that were identified as risks for credit and debit card data security. Threats included lack of customer awareness, weak password policies, misconfigured firewalls and unencrypted cardholder data. Any one of these oversights could leave both the cardholder and the business vulnerable to a breach.
TechTarget said some extensive monitoring within an organization, as it will likely go beyond the data security or data loss prevention programs that are already in place. It also makes sure the companies check their traffic analysis and are able to catch any new threats that occur in a timely manner.
Data Security News from SimplySecurity.com by Trend Micro.