While surfing LinkedIn recently, a user’s posted question caught my eye.
The user, a small merchant, asked whether his approach to PCI compliance was the most cost-effective way possible. As his business was recently classified as a Level 4 merchant, he said he needed only “focus on those areas where we may fall short.” He also said free or low-cost solutions might be the best option because while “not very user friendly,” they do “tick the right PCI boxes and get us PCI compliant.”
The poster then went through several security measures he was considering, including internal scanning and file-integrity monitoring. “Or am I just wasting my time?” he asked.
Well, no. Anything you do to make your business more secure is a good thing.
But, as another LinkedIn user correctly pointed out, the merchant was asking the wrong questions.
Instead of focusing on how to (and how much) it would take to better secure customer information, the merchant instead was laser-focused on simply becoming compliant.
This is the wrong approach, tactically and psychologically. The PCI Data Security Standard is a way to validate basic data security. It’s not the Yellow Brick Road to Oz. It’s only a tool—a pretty good one—to help minimize danger along the way.
Neither I nor the other LinkedIn user, I’m sure, believes this merchant doesn’t care about the security of his customers. But the things the poster, and any merchant, should be focusing on first are the steps to improve the overall safety of cardholder data.
Steps like:
- Using a compliant payment application. You can access these applications here.
- Securing transactions. All cardholder data must be encrypted during transmission.
- Conducting regular Web application and vulnerability scans. If you have externally-facing IP addresses, conduct regular scanning to identify critical vulnerabilities for remediation.
- Setting cardholder data storage policies. Merchants should not electronically store credit card data without a compelling business reason.
- Setting access policies. Employees who don’t need access to sensitive customer information should not be given access.
As for the LinkedIn question, the reader who responded to the merchant’s post had a particularly valid point: “If you are worried about the cost (to become) PCI DSS compliant, check on the alternative. Be non-compliant when your system is compromised, then you will be talking about real money and possibly your company will go out of business.”
I couldn’t have said it better myself.
‘Till Next Time,
Joan
The eSecurityDiva
I was wondering if you could shed a little light for me. I own a website Design and Development company. We own our own server and host our clients. We currently host about 120 web sites and possible 30 of them have commerce. Is it true I must pay 5,000 to be compliant and have my system scanned? then 2500/yr. None of my commerce sites store credit cards.
Posted by: Brady | November 20, 2009 at 11:27 AM
Did you use an assistance of a essay writing service for your famous topic? I opine that you really have unique sample essay creating skills. Thank you very much for your release!
Posted by: tA31Alexa | February 13, 2010 at 06:19 AM
It's cool that we are able to get the personal loans moreover, this opens new chances.
Posted by: personal loans | March 10, 2010 at 05:42 PM