The Silver Lining In Your Cloud TM

How to Stay PCI Compliant in a Non-Compliant World

PCI compliance is a huge issue for modern businesses. Being able to meet these compliance standards helps your business protect itself and its customers from attacks by cyber criminals looking to steal financial information.

In a perfect world, simply following the 12 major compliance standards would be all your business would need to do to achieve full compliance and avoid the risks of payment card data being stolen.

However, this isn’t a perfect world. As Target discovered back in 2013, it’s a non-compliant world, and an outside vendor could expose your business to attack. As noted by a Bloomberg article about the hack, hackers may have “used credentials of an HVAC vendor to get into Target’s network, spending weeks on reconnaissance to install a pair of malware programs.”

Staying PCI Compliant in a Non-Compliant World

Unfortunately, your business can’t control every aspect of security in the businesses that partner with you. However, you can take some measures to protect your business against vulnerabilities caused by non-compliant partners.

Reviewing Partner Cyber Security Measures

First, and foremost, vet potential business partners thoroughly. When sharing access to sensitive corporate records and systems, be sure to conduct a thorough review of your prospective partner’s cyber security setup beforehand.

Here, having access to a third party to conduct an autonomous review and penetration test is helpful.

If significant security holes are found, make sure they’re fixed before giving the other company access to your own systems.

Closely Manage User Accounts and Access Privileges

Defunct user accounts are a prime opportunity for hackers to breach your systems. Old, unused accounts could be hijacked and used as a convenient way to access sensitive data—or may even be used maliciously by an ex-partner/employee.

When a business relationship is terminated and the other party no longer has any reason to access your systems, revoke their access privileges and/or delete the user account as soon as possible. This closes the door to a potential attack later.

Also, periodically review your list of user accounts on your system for signs of defunct or unused accounts. Doing so can help protect your business against attempts to establish dummy accounts that could be used as a backdoor into your systems.

Keep an Eye Out for Unusual Activity

A large part of any intrusion detection/prevention system (IDS/IPS) is to establish a baseline for normal activity. While IDS and IPS automates the monitoring process somewhat, it’s still important for your business’ IT team to keep an eye out for signs of unusual activity.

What kinds of activity? Examples include:

  • Movement of data from a secure virtual machine (VM) or server to a less secure one;
  • Attempts to access mass amounts of financial data/records;
  • Abnormally high number of failed login attempts across several user accounts; and
  • Traffic coming in from a completely new IP source;

Just to name a few possibilities.

With an appropriate IDS/IPS solution, your IT team should receive an automated notice of an unusual access attempt, helping to minimize the time needed to respond. Making sure that there’s always someone on task to watch out for such an alert is critical for ensuring fast breach response and remediation.

The longer it takes you to respond to a breach, the greater the damage a hacker could do.

Do More Than the Bare Minimum for Security On Your Network

With the sheer number of data breaches happening each year, it’s more important than ever to do everything you can to keep your network safe from a breach. Just using the bare minimum security outlined in the PCI compliance standard isn’t enough.

It’s a good start, but compliance alone isn’t enough.

Simply going with the bare minimum of security in a world where hackers are continuously evolving new attack tools and strategies is like trying to stop a modern military with brick castle walls—modern tools and techniques can penetrate the defenses like they’re not even there.

To protect your data from a determined, well-equipped attacker, you need top of the line, industry-leading defensive tools. The more layers of security you add, and the better the tools, the safer your most sensitive data will be.

Maintaining a business platform that ensures industry-leading security can be difficult. Unless, that is, you partner with a cloud service provider, such as that specializes in secure, PCI-compliant infrastructure designed to provide powerful protection for sensitive business data.