24 October 2017

44975

Retired Member

3,172Posts 11,364,612Views 3,409Comments

PCI Compliance: What are the challenges surrounding payment data protection?

28 July 2015  |  2650 views  |  0

PCI compliance is a vital step in creating trust between an organisation and its partners, and success in this realm can really boost customer confidence in a company. However, this can be a particularly tricky road to navigate. According to the 2015 Verizon PCI Compliance Report, only 29% of companies successfully maintained full compliance during their last annual audit.

Businesses need to put in place a third-party assurance programme that outlines clear policies and procedures, to ensure that customer card data and systems are fully protected at all times and in a compliant manner. So what are the challenges facing organisations striving for continued PCI compliance?

Separation of duties 

Complications around PCI compliance can occur if there is some overlap in access between departments within an organisation. Separation of duties (SoD) is a key concept in the protection of payment data, and helps ensure no person acting alone can compromise security controls. For example, just as you wouldn’t want someone being able to request and approve a purchase order, it is important that the individual responsible for designing and implementing security does not have access to the same information as the person responsible for the development, operation and testing of security.

To ensure payment data is being accessed in a compliant manner, an organisation should be regulating who has access to what. Compliance can fail if so called ‘super-users’ have too much access. In the event where an admin account exists that is able to access everything – steps must be taken to ensure you know exactly who has access to it and when, or why, they are using it. 

System access controls

An organisation can be found to be non-compliant if controls around its operating systems aren’t set properly, causing directories of customer payment details to be opened too wide. If a user opens something they aren't supposed to then there are methods you can undertake to figure out who it was and where they are. This requires complete visibility in real-time to see when sensitive files or applications are opened. Separation of Duties (SoD) and role-based access can help organisations to control and prevent excessive access to sensitive information by assigning access to appropriate applications. Where companies have a high volumes of users with varying degrees of access, it’s vital to establish regulatory requirements for access. 

Terminated staff or consultants still have access

Terminated staff can be a predominant issue in many security breaches, and can be a particular pitfall where PCI compliance is concerned. Terminated payment accounts, if not taken care of, can provide an easy access route for keen hackers. During one infamous hack in the US, Walmart was caught out because it wasn’t monitoring for remote access to terminated accounts from abroad, and led to many MoneyCard customers becoming the victim of false payments. Understanding who has access to private financial data, such as card numbers, and managing the timeliness of access termination is critical. 

Security systems and processes not tested frequently enough

Real time visibility into your systems can help you see when things are disrupted in your system, however, it's still not enough. Organisations need to continuously test and audit their systems to confirm that all processes are working correctly and that no malware, bugs, or other vulnerabilities are in existence. 

 

TagsSecurityPayments

Comments: (0)

Comment on this story (membership required)

Retired's profile

job title
location
member since 2014
Summary profile See full profile »

Retired's expertise

Member since 2009
3119 posts3,409 comments
What Retired reads

Who's commenting on Retired's posts

Ketharaman Swaminathan
Dharmesh Mistry
Nicola Cowburn
Michael Wright
Charmaine Oak
Francis Chlarie
Raymond Lee
Deepthi Rajan
Melvin Haskins
João Bohner
Bob Lyddon