EMV and chip and pin are the big stories now. But a recent set of guidelines from the PCI Security Standards Council serves as a reminder that planning and prevention can trump technology – and that complacency can be a real threat to payments security.
The world was awash in EMV news this week. And as all eyes were, and are, on the United States amid its transition to chip and pin, there were a few quieter security-related developments that give some food for thought as to why technology is not enough in the ever-widening battle against payments fraud.
The PCI Security Standards Council held its annual North America Community meeting this past week in Vancouver. The agenda, as you might guess, centered on security: what works, what doesn’t and what companies should do in their own internal practices.
(Interestingly, and not quite as a side note, the body’s forensic investigators were on hand to discuss the Verizon Data Breach Investigation Report, just in time for news of a hacker grabbing millions of T-Mobile records.)
One document that came out of the gathering: an official guide for best practices, titled “Responding to a Data Breach: A How-to Guide for Incident Management.” The document is essentially a step-by-step dictum, from detection to prevention. And it’s somewhat reminiscent, complete with graphics, of those “stop, drop and roll” posters that lined school classroom walls or Heimlich maneuver laminates at restaurants. Responding to a data breach is a bit like responding to a sudden blaze – one that can leave the building standing but that can reduce corporate data and reputation to cinders. This is a world where the average total cost of a data breach can top $3.8 million, notes the PCI guide.
The overarching theme: “Preparing for the worst is the best defense.” That’s a simple statement that works across all response plans and across all organizations large and small. For payments security, that means being mindful of PCI DSS Requirement 12.10 which mandates fully formed plans that get put to the test annually, with revamps as needed.
Simple stuff, maybe, but crucial, and perhaps nowhere more so than in the United States, where EMV is by all accounts (and by judging from history seen in other countries) going to give rise to any number of other cyberthievery ploys aimed at gleaning sensitive consumer data – most immediately through CNP fraud.
In the event of a detected breach, PCI says, twin efforts of preserving data and evidence (the kind that a Payment Card Industry Forensic Investigator, or PFI, would use) are crucial. Tech administrators should not simply power off systems completely, but should know instead how to isolate network areas. Those same tech professionals should take pains not to access or alter systems that have been compromised.
Beyond the technology controls, PCI recommends that an organization be proactive outside its own borders. In a nutshell that means communication – immediate information conveyed to business partners across payment card brands, acquirers and also hosting services. Fraud, after all, tends to have a ripple effect.
These may be general precautionary measures, and some may even scoff at the “obvious” nature of steps recommended — but then again, where theory meets reality there may be a wide gap, as so many data breaches have shown.
[bctt tweet=”Security is only as effective as the people behind the technology – and their preparedness.”]
The PCI guidelines may get lost in the shuffle amid an industry shift like EMV, but the evidence still shows security is only as effective as the people behind the technology – and their preparedness.