Congratulations! You took the time to become PCI (Payment Card Industry Data Security Standard) compliant by accurately filling out your Self-Assessment Questionnaire (SAQ) and passing all the requirements; remediating your location until you internal and external vulnerability scans passed; and training your employees. Your location is secure now, right? Well, in all honesty, the answer is a resounding maybe.
You must understand that PCI is a good compliance standard, but it is no guarantee that you are actually secure. The PCI standard came about so that merchants who took credit cards would understand and comply with the minimum level of security that the credit card companies demanded to protect their credit cards. While PCI can be daunting, especially if you try to do everything on your own without professional guidance, it is only the minimum precaution you should take when trying to keep your environment safe.
To complicate matters even more, computer hackers do not stand still. They are constantly inventing new ways to break into systems, and protections that were adequate yesterday will no longer keep them out once they develop these new techniques. If you really want to stay secure in the long run, you must constantly have a process to identify new risks to your stores and react to them.
You are probably thinking to yourself, “But I’m not a security expert. How could I possibly find these risks.” You are right, and this can be a challenge. For small merchants in particular without formal training in risk assessment, the task is daunting, so taking a step back might help.
For most brick and mortar locations there are usually 3 primary risks (if your particular location has more complicated data storage, or if sensitive data is moved off-site, then you will have more than these 3). In no particular order, you should be concerned about external hackers and threats; internal issues and malicious employees; and physical theft. For each of these, you must identify your risk; determine what would be affected if you were compromised; protect your assets; and figure out how to mitigate the risk.
The PCI Security Standards Council has released a document to help you understand this process, but it was really designed for large environments with a qualified IT staff. Like many things in PCI, it is sometimes a best practice to admit that you need help and to ask a professional for guidance. It is better to get the help before you are affected than to be surprised later.
Bradley K. Cyprus has more than 20 years experience in the security industry. He manages the development of in-house solutions to validate compliance, and he is a resource that Vendor Safe customers can rely upon to help interpret the PCI standard.