By Bob Russo, GM, PCI Security Standards Council
|Bob Russo GM PCI Security Standards Council|
With the latest attacks at some of the nation's largest retailers, the pressure's on for all businesses to demonstrate they're doing whatever it takes to keep their customers' confidential information safe and out of the hands of the bad guys. With headlines changing every day on what actually happened and how, many are unsure of where to begin making changes to protect their own businesses.
The truth is, many of the greatest protective measures to secure confidential information are also the most simple. While attacks have incrementally gained in sophistication, they often aren't immune to being detected and stopped before the damage has been done.
Don't try to reinvent the wheel; look for the simplest remedy to achieve your goal.
The PCI Security Standards Council recently put together a quick list of 10 simple steps that will greatly reduce the likelihood of a data breach.
1. Education can help your employees recognize risks for both online and physical security threats, as well as learn best practices for protecting cardholder data.
2. Update employee manuals with the current best practices on handling card data.
3. Pre-employment screening can dramatically reduce the risk of insider threats.
4. Protect your point of sale systems from tampering, segment these systems and use antimalware software to further reduce your risk
5. Pay attention to fraud prevention alerts from law enforcement agencies, payment card companies and your virus and malware services.
6. Tightly control your organization's downloads, software installations, use of thumb drives and public Wi-Fi connections on computers used for payment card processing or handling other sensitive information.
7. Separate computers used for processing of all your online financial transactions from other networks.
8. Change your passwords regularly – default and easily cracked passwords are still a common source of many data breaches.
9. Make sure you regularly back up your computers and the key data you want to protect.
10. Talk to peers, get involved in industry security groups and find resources that will help you as you continue your security journey.
Remember, there is no silver bullet to proper data security, but these simple steps, when used in combination with the PCI Data Security Standards, can form security best practices that address the people and processes in your company on a daily basis. "Think security" and your organization will follow.
Bob Russo, GM of the PCI Security Standards Council, works with representatives from American Express, Discover, JCB International, MasterCard and Visa to drive awareness and adoption of the PCI Data Security Standard. He is responsible for driving the organization's growth and development, as well as meeting its goals to create educational programs, establish pools of certified Qualified Security Assessors (QSAs), Internal Security Assessors (ISAs), PCI Forensic Investigators (PFIs), Approved Scanning Vendors (ASVs), and incorporate feedback from all stakeholders across the payment chain into the work of the Council and the development of new standards. In addition, Russo oversees the PCI Security Standards Council's training, testing and certification programs for QSAs, ISAs, PFIs, and ASVs.