No matter what type of business you operate, if you take card payments, you cannot afford to overlook the importance of PCI DSS. It does not matter whether you take one card payment or one thousand, or if you accept one type of card or the full range of debit and credit cards, PCI DSS is something you need to adhere to. Failure to do so could result in devastating consequences for your business, including hefty fines and a damaged reputation. Below, we take a look at the reasons to consider expert PCI consultancy for your business.
Make sure you get PCI DSS right
There is only one place to begin, and this is with the fact that you will have the peace of mind that your business is PCI compliant. So many businesses assume that they comply with PCI DSS, when, in fact, they don’t. This is because PCI DSS is a confusing field, and it is somewhat of a grey area. There is so much that needs to be addressed as well. PCI DSS consists of 12 requirements, and within each requirement, there is another set of rules you need to follow. If you do not have experience in payment security and you have not studied PCI DSS extensively, you will not be able to ensure your business is compliant. It is best to leave this to the experts.
Save your company time
Fulfilling PCI DSS requirements can take a lot of time. As mentioned in the previous paragraph, there is a lot to consider and a lot of requirements that need to be fulfilled. Not only this, but PCI DSS never sits still. You don’t simply achieve compliance and forget about it. You need to constantly work to make sure you are compliant.
Save your business money
The main reason why so many business owners overlook PCI consultancy is because they see it as an unnecessary expense. However, by investing in this service you can save a considerable amount of cash in the long run. There are two reasons why this is the case. Firstly, your business will be protected from a data breach and you will be fully compliant. This means that you can avoid all of the expense that comes with a breach, from compensation expenses to the cost of fixing the security vulnerability. Moreover, by investing in security now, you can save yourself money in the future. You will have a solid security strategy in place that will protect your business and helps you to work more efficiently.
As you can see, there are many benefits associated with PCI DSS. Ultimately, you can be certain that you will achieve PCI compliance and you will have the greatest defence in place to avoid the possibility of a breach.
This month represents the ten-year anniversary of PCI DSS, the Payment Card Industry Security Standards Council. PCI DSS was designed to ensure that businesses and organisations are handling their customers’ credit and debit card data in a secure manner. It reduces data breaches and fraud by implementing a set of 12 requirements that need to be followed. Below, we take a look at some of the positives of PCI DSS in further detail.
- A high benchmark for businesses – For any sector to evaluate how well it is doing, there must be an objective standard in place. This gives businesses and organisations clarity regarding what they should be aiming for. PCI DSS sets the bar, and without it, most businesses would not know how to keep their customers’ payment information safe.
- A mark of trust – Businesses who are PCI compliant reap the rewards of greater trust from their customers and potential customers. People will be more likely to use their service if they know that they adhere to PCI DSS and go to great lengths to make sure that their clients’ payment data is safe. You can use this to enhance your brand and market your business as a credible and trusted one.
- Third–party service providers addressed – PCI DSS 3.2, the latest version of the PCI DSS, extends beyond merchants. A requirement for third-party service providers has been added in accordance with a number of data breaches that have occurred over the past few years due to a weak line in information security. To prove operational procedures and security policies are being followed, third-party providers need to perform reviews on a quarterly basis, as well as penetration testing on segmentation controls twice a year.
- Establishes a strong start point – Another benefit associated with this standard is the fact that it provides an excellent start point for any company or organisation that is seeking a baseline to protect the payment card information of their customers. They can get to grips with all of the fundamentals associated with a strong information security program, including the identification of where such data lives, targeting any vulnerabilities that could lead to a compromise, remediating said weaknesses, and reporting to the relevant card brands and banks.
- Continual attention demanded – One of the great things about PCI DSS is that it is updated regularly, unlike a lot of other business standards. In fact, since it was introduced in 2006, PCI DSS has been updated seven times. This is essential when you consider the evolving business and technical environment. It means that businesses need to provide this area of their business with constant attention, ensuring that they stay ahead of the latest trends and do all in their power to protect confidential payment information.
All things considered, it is not difficult to see why PCI DSS is so important across all industries. It is the only way to make sure that all businesses are making the effort that is required of them to protect their consumers’ data.
If you have seen the news lately, you will have come across a number of reports indicating that small businesses do not view cyber security as a threat. This is despite the fact that 74 per cent of small companies experienced a breach last year, and that the average cost of severe online security attacks has doubled. It now stands at roughly £1.5m. The government has even issued a warning, urging companies to take action. So, why aren’t small firms taking the cyber security threat seriously?
- They don’t know where to begin – One of the main reasons why businesses are struggling to achieve PCI compliance and protect their company is simply because they do not know where to start. This is understandable. Cyber security is a complex field, and it is difficult to know what your business needs. Moreover, when it comes to entrusting someone with your confidential data, you need to choose a firm with extreme caution.
- They think that their business is too small to be a threat – There is no such thing as ‘too small’ – all businesses are at risk. This is especially the case when you consider that 80 per cent of cyber breaches are not targeted, they are opportunist. This means that just by not having a data security system in place, you are a target. Moreover, cyber criminals often feel that small companies are an easy payday, as they know they do not have as much resources to spend on data security as the larger firms do.
- They don’t want to spend money on an issue that they are not responsible for – This is the type of thinking that could get your business in serious trouble. We know that it is somewhat unfair that you have to spend money protecting your firm against a problem that you have not caused. But, quite frankly, the other alternative is a lot more devastating and costly. Think about your property. You wouldn’t leave your doors open at your home would you? You have invested in locks, and no doubt an alarm system and other security products. Cyber security precautions are just as important. After all, you want your business to be safeguarded.
- They don’t think cyber security is worth spending money on – A lot of small businesses have limited budgets, and, therefore, they don’t feel that they should be spending their money on cyber security. This is especially the case because data security does not contribute to the revenue of a business. However, investing in cyber security is securing the future of your company, and, if you fail to do so, the costs are truly extortionate, including compensation costs, the expense of identifying the security problem and fixing it, non-compliance fines, and money spent on re-building your reputation.
It is not hard to see why some business owners may be a bit reluctant when it comes to cyber security, but the points mentioned above are no excuse to ignore the threat of a data breach. If you don’t take the steps to protect your business, you could find yourself with a disaster on your hands. Retail Secure can help you get started.
The spotlight has been on cyber security in the food industry as of late in light of the recent data breach at Wendy’s fast food chain in America. The data breach, which saw more than 1,000 of Wendy’s food establishments impacted, involved debit and credit card information being compromised. While this is a big story that has received a lot of attention, it is not an unusual scenario. Data breaches are happening every day, however, many go unreported and some are worryingly undetected. A cyber attack could spell the end of your takeaway or restaurant, highlighting why payment security is a must.
Last year, 74 per cent of small companies in the United Kingdom suffered a data breach, and 90 per cent of large businesses experienced the same fate. This shows you how the threat of a breach is very, very real. And, if your business experiences a cyber breach it can be exceptionally difficult to come back from. You will encounter huge losses in the form of discovering the vulnerability and fixing it, compensation expenses, non-compliance fines, and the cost of re-building your reputation. This can be extremely difficult, as your customers will lose trust in your business and your profits will dwindle as a consequence. Is this something you could come back from?
It is really not worth the risk. At Retail Secure, we can give your business the protection it needs, reducing the chance of a data breach and ensuring PCI compliance. If you are not aware of PCI compliance, listen up! This is something all restaurants and takeaways need to be concerned with if they store, process, or transmit card data. Basically, if you accept debit or credit cards at your food establishment, you need to achieve compliance. There is a set of 12 payment security requirements that need to be followed. This can be confusing, especially for those with no experience in the cyber security sector. Luckily, we have you covered.
Our affordable and straightforward data security system, RetailCompli, leads the way. You are guaranteed 100 per cent compliance, and there are many security features in place to give your business an edge. This includes everything from 24-hour monitoring to an advanced firewall for end-to-end protection. Nevertheless, the main feature of our services is the creation of a separate Cardholder Data Environment (CDE). At present, it is likely that you have an open network; meaning access to your data is easy for hackers. We implement LAN segregation so that all confidential data, including payment information, is in a secured environment whereby access is restricted.
Don’t leave it until it is too late; protect the future of your restaurant or takeaway today. Considering the number of businesses that were breached in the UK in 2015, you are simply a sitting duck if you do not have protection in place. People aren’t going to want to purchase their fish and chips from you if it comes at a risk of being a victim of fraud, that’s for sure!
Most recently, we have heard the news that Wendy’s has experienced a malware breach that has impacted more than a thousand locations across the US. However, this is just one in a long list of data breaches, and if you do not protect your company, you will be next. Keeping that in mind, we have put together a list of essential cyber security tips for all businesses to follow.
- Train your employees in cyber security – Did you know that a large proportion of data breaches occur due to employees? This can happen because of malicious employees, however, most of the time it is because they lack training in cyber security, and thus they make costly mistakes without even realising. By training your employees, they can practice high levels of security and they can be more responsible with any data that comes their way.
- Implement multi–factor authentication – Multi-factor authentication means that employees will need to go through another security stage, aside from just inputting their password. This additional layer of security makes it much more difficult for people to find a way in. Examples of other security options include fingerprints and sending verification codes via email or mobile phone.
- Create a separate Cardholder Data Environment (CDE) – This is an essential part of PCI compliance. At present, it is likely that everything is stored on your network in an open environment, meaning that access is easy. This provides hackers with a straightforward way in. Instead, with a separate CDE, all confidential data, such as payment information, will be segregated from everything else on the network. This reduces the chance of a breach considerably, as access is restricted.
- Use unique passwords – You should never use vendor default passwords. Make sure that all employees use unique passwords, and encourage them to use a different password for each system. Not only this, but it is advisable to change passwords every few months.
- Control physical access to computers – When it comes to cyber security, it is easy to get consumed with remote network access. However, you do need to bear in mind physical access to computers as well. Make sure that unauthorised individuals cannot access your business computers. As laptops can easily be stolen, it is important to ensure they are locked up when they are not being used. Moreover, you need to have strong access controls in place, as mentioned above.
- Have an effective firewall in place – Last but not least, don’t overlook the importance of a firewall. A firewall can often be undervalued. However, so long as you choose a firewall with care and update it regularly, you will benefit from effective end-to-end protection.
As you are probably well aware, the UK public voted to leave the EU last Thursday. Since then, we have all been debating how this decision is going to impact our lives, businesses, and the economy on the whole. While it is impossible to fully determine what is going to happen, many experts have been giving their opinion on the impact of Brexit on cyber security.
Of course, professionals have differing opinions, with some believing leaving the EU won’t even make a difference while others are concerned that it will have a detrimental impact on the UK’s fight against cyber crime. Prior to the vote, Tripwire conducted a poll of 278 security professionals. The poll concluded that the majority, 64 per cent, believed there would not be any changes if Britain voted to leave the EU.
However, one person that disagrees with this is the co-founder and CTO of Bromium, Simon Crosby. He envisions two major problems. The first is the fact that the EU provides more than a third of research funding for UK universities. If the UK government does not supplement this funding, universities throughout the country will struggle to deliver the highly skilled tech workers that the economy demands. He also believes that a lot of the great technical talent in the country will move elsewhere. This is because talent has become cheaper for foreign countries to hire, and places such as the USA are likely to pay such professionals more.
Another point worth noting is that the UK could become a lot more susceptible to cyber attacks due to the fact that they no longer benefit from intelligence sharing with other states in the EU. Nevertheless, whether this is the case remains to be seen, as it is possible that deals will be struck. After all, once Article 50 is invoked, the UK still has two years to leave the EU, and during this period is when we will see the country attempt to strike deals.
It is also worth considering the impact that Brexit will have on data security policies. While the UK will need to implement a new data protection scheme, companies will also need to adhere to the EU regulations whenever they are transferring data to and from the EU. Therefore, the legislation that is in place is still going to apply to cyber security businesses.
All in all, there is no denying that there is uncertainty ahead, as the implications of leaving the EU aren’t fully clear. Negotiations will be long and on-going, and until we learn of any conclusions it is impossible to fully understand the impact Brexit is going to have on the cyber security industry. However, when compared with other sectors it does not seem as severe.
Over the past month, eyes have well and truly been on banks, as there have been reports of numerous breaches in the industry. Of course, the main breach that grabbed all of the headlines was the one on Bangladesh’s central bank. The breach resulted in over $80 million being stolen. However, SWIFT, a worldwide provider of secure financial messaging services that is used by approximately 11,000 financial institutions, has revealed that a second bank has been hit. They have not revealed the name of the organisation or how severe the breach was.
This information has proven that the Bangladesh incident was not an isolated one. Rather, there seems to be a group of cyber criminals that are highly adaptive and purposely targeting a number of banks. Nevertheless, it is worth noting that the unnamed bank had poor security controls in place, which is how hackers gained access to the network. The bank used second-hand Internet routers to connect to global financial networks, costing them a mere $10. And, shockingly, they did not have a firewall in place, which would have blocked unauthorised access requests.
This incident highlights the importance of having an effective and up to date firewall in place. In fact, this is one of the main requirements under PCI DSS. Requirement 1 states that all businesses must install and maintain a firewall configuration. This is split into five different steps. The first is to establish and install router and firewall configuration standards. After this, companies need to build firewall and router configurations that will limit connections among untrusted networks and Cardholder Data Environment system components. The next step is for direct public access between the Internet and any Cardholder Data Environment system components to be prohibited. Step four is the installation of personal firewall software on any mobiles and devices owned by employees. And, finally, all security policies and operational procedures related to firewall management need to be documented.
As you can see, this is a critical part of protecting customers’ data. It is the number one requirement for PCI compliance, and there is a lot more to it than simply downloading a free firewall via the Internet. The fact that the bank in question did not have a firewall in place provided the cyber criminals with an easy route in. To discover more about this PCI DSS requirement, click here. For further information on how to protect your business with a sophisticated firewall and other cyber security controls, click here.
Recently, the 2016 update to the PCI DSS Standard landed. ‘3.2’, as it is known, has not imposed large and drastic changes. Rather, the new standard outlines a number of revisions that are somewhat digestible. We are going to take a look at them in this post to give you a better understanding. So, read on to discover more.
One of the new updates states that all businesses need to have multi-factor authentication in place for sysadmins. Multi-factor authentication is something you should already be familiar with, as the previous standard stated that this was required for remote access to the CDE (Cardholder Data Environment). Multi-factor authentication involves teaming a password with another form of authentication for access to be granted, such as a fingerprint or a unique code sent via email or mobile phone. With this update, even sysadmins that have local access to the CDE are going to need more than a password to get in. All merchants have until February 1st 2018 to implement this.
In addition to this, firms also need to be moving away from older TLS and SSL. You have two years to complete this requirement – until July 2018 to be precise. Another notable change relates to the new requirements under DESV (Designated Entities Supplemental Validation) for service providers. The new requirements include the likes of checking that personnel are complying with security policies on a quarterly basis, conducting bi-annual penetration tests, and using detection mechanisms so that you can find any critical security control failures.
So there you have it; a look at some of the changes that were made in the recent update of the PCI DSS standard. If you currently do not comply with PCI DSS and you take payment via card, you are putting your business at a huge risk. If a breach occurs, not only will you have fraud losses to deal with, but also you will face substantial non-compliance fines, compensation expenses, and severe reputational damage. It really is not worth the risk.
However, if you are like most and think that data security is too expensive and time consuming, the best thing to do is outsource this area to a business that will take care of it for you and guarantee PCI compliance. This is exactly what you have with Retail Secure. RetailCompli, their cloud-based network security solution is a PCI DSS Level 1 Certified solution, ensuring full compliance.
A lot of business owners believe that choosing to outsource payment processing is a simple way to deal with PCI DSS compliance. This is not the case. You still need to make sure you are compliant, as it is highly likely that you will handle card data at some point. Moreover, it is your responsibility to ensure the payment processor you choose is compliant.
You should never simply assume that this is the case, and you should never bank on the fact that you will be able to blame any breach or compliance issues on them. You will still be held responsible, you will still be fined, and you will still suffer huge reputational damage. With that being said, continue reading to discover the key questions you should ask before choosing a third party payment processor.
- Are your payment systems full compliant with PCI DSS? This is undoubtedly one of the first questions you need to ask before choosing a payment processor. As PCI DSS is not law, you should never assume that all card payment processors are going to be compliant. Nevertheless, just because it is not law does not mean that PCI DSS does not need to be followed. You will find yourself facing fines between £3,000 and £65,000 if you’re found not to comply with the requirements, and that’s without considering the reputational damage and compensation expenses.
- Have you ever experienced any data breaches? Don’t be afraid to ask this question. You are well within your right to know if there have been security issues with the card payment processor in the past. If there has been a breach, you should find out how it occurred and what the company have done to ensure the vulnerability is eradicated.
- What security features do you provide? It’s not enough to simply get the answer ‘yes’ to the first question about PCI DSS and then agree to use the company’s services. You need to have a full understanding of the different security capabilities of their processing system so that you are aware of the efforts they are taking to secure all data. The best companies will have an array of in-built features, such as tokenisation, which will ensure cardholder data is protected.
- How do you protect against fraud? You should also enquire about the fraud prevention methods the payment processor has in place. They should provide a good selection of screening and fraud protection tools. One of the most popular options is a filter that determines where and whom you have received payments from. If you are going to be accepting payments from individuals you don’t have an existing relationship with, these tools are crucial.
While some industries still fail to take the threat of cyber security seriously, one sector that isn’t is the finance industry. A recent report conducted by the Bank of England has revealed that this is the main concern for bankers. The survey, entitled the Systemic Risk survey, discovered that the banking sector is concerned about the prospect of a data breach, with 46 per cent of bosses citing it as a key issue. This represents a 36 per cent increase from the year before, when only 10 per cent of bosses stated cyber security as a primary concern towards the end of 2014.
The Bank of England released a statement that deemed cyber attacks to be an increasingly serious threat to the resilience of financial system in the UK. They also said that a breach could threaten the critical services provided to the economy, which is why they intend to take action, and they have called on international and UK authorities to do the same.
Coincidentally, this report comes at a time when banks all over the world have been asked to confirm that they are adhering to proper cyber security processes after there was a data breach on the central bank of Bangladesh, which cost more than $80 million. The hackers, who are still unknown, managed to gain access to the computer systems. They attempted to steal $951 million, but some of the transfers were blocked. Nevertheless, just over $80 million managed to slip through the wire, being transferred to various accounts located in the Philippines.
Another report has stated that since 2013, financial companies in the UK have logged 791 data breaches. This represents more than a 50 per cent increase. Some of the banks that have logged a breach include Santander, RBS, Lloyds Banking Group, HSBC, and Barclays. This report also states that the main reason for these breaches is human error, highlighting the need to train employees in safe cyber security practises.
Considering the abundance of financial information held by banks and other financial institutions, it really is not difficult to work out why these businesses and organisations are a target of cyber criminals. It is imperative for these establishments to have stringent security measures in place so that they can reduce the chance of a data breach at their business. After all, while the central bank of Bangladesh may have lost $80 million in fraud losses, the money they have lost will only continue to grow as they begin to repair the damage. They will have to determine where the vulnerability in their system was, and they will need to address it. That is without evening mentioning compensation costs and the money spent on marketing to repair the damage done to the bank’s reputation.