Pr-Internet when you thought of a store being robbed you pictured the masked bandit with a gun standing in front of the cashier demanding the drawer, or maybe a more optimistic view of a shoplifter, or a shady employee dropping merchandise outthe back door, my how times have changed.
Enter todays modern Cyber-Thieves, they operate in stealth from behind the anonymous veil of their computer screen. No longer the masked bandit with a gun and a bad upbringing, now it could be a board teen with a new hacking script, a grandmother who learned a trick from the kids to get a discount in a form order, the 35 year old laid off white collar developer that found out he could sell credit-card numbers or even just sales leads with his IRC account, add too them the countless number of other Cyber-Thief profiles.
They attack small to big companies, municipalities, churches, etc... looking for any identity information, Credit-Card information, as well as other relative information that may get them into additional resources that might provide them with the information they can use.
Enter todays modern Cyber-Thieves, they operate in stealth from behind the anonymous veil of their computer screen. No longer the masked bandit with a gun and a bad upbringing, now it could be a board teen with a new hacking script, a grandmother who learned a trick from the kids to get a discount in a form order, the 35 year old laid off white collar developer that found out he could sell credit-card numbers or even just sales leads with his IRC account, add too them the countless number of other Cyber-Thief profiles.
They attack small to big companies, municipalities, churches, etc... looking for any identity information, Credit-Card information, as well as other relative information that may get them into additional resources that might provide them with the information they can use.
In 2009 One of the victims of the cybercrime, the Catholic Diocese in Des Moines, Iowa, lost about $680,000.The church is puzzled how the cyber criminals entered the church accounts but the thieves "took all they could" before bank officials realized what had transpired in just two days.
“No one country, no one company, andno one agency can stop cybercrime,” said FBI Director Robert S.Mueller III, in an agency statement. “The only way to do that is by standing together. For ultimately, we all face the same threat.Together, the FBI and its international partners can and will find better ways to safeguard our systems, minimize these attacks, and stop those who would do us harm. So how does the small on-line merchant help with this effort? Enter PCI Compliance.
According to Verizon Business and theU.S. Secret Service payment card data theft make up more than half ofall data breaches investigated and has hit organizations of allsizes. From Mom and Pop on-line shops where there is rarely an ITbudget for security (What better target could there be), to largecorporations that process billions of dollars in on-line credit-cardsales.
One source that merchants can used as a guide is the Payment Card Industry Data Security Standard (PCI), which is the minimum security the credit card brands expect from a merchant who accepts credit cards. The current standard can be found at The https://www.pcisecuritystandards.org/.
In PCI, a merchant can find several security measures designed todeter hackers from attempting to steal their credit card data. Evenif a mom-and-pop restaurant cannot meet all PCI standards, it wouldbe better to implement the security measures that are practical today, than to ignore the problem altogether.
In PCI, a merchant can find several security measures designed todeter hackers from attempting to steal their credit card data. Evenif a mom-and-pop restaurant cannot meet all PCI standards, it wouldbe better to implement the security measures that are practical today, than to ignore the problem altogether.
PCI DSS is the core standard for Merchants and processors. It addresses security technology controlsand processes for protecting card-holder data. If your organizationaccepts just one card for payment on-line you must comply with PCI DSS. Validation of compliance is done annually by an external Qualified Security Assessor (QSA) for organizations handling largevolumes of transactions, or by Self-Assessment Questionnaire (SAQ) for companies handling smaller volumes.
Although PCI DSS requirements must beimplemented by all entities that process, store or transmit account data, formal validation of PCI DSS compliance is not mandatory for all entities. Currently both Visa and Mastercard require Merchantsand Service Providers to be validated according to the PCI DSS
The six Control Objectives:
Build and Maintain a Secure Network
- Install and maintain a firewallconfiguration to protect card-holder data
- Do not use vendor-supplied defaultsfor system passwords and other security parameters
Protect Cardholder Data
- Protect stored card-holder data
- Encrypt transmission of card-holderdata across open, public network
Maintain a Vulnerability ManagementProgram
- Use and regularly update anti-virussoftware on all systems commonly affected by malware
- Develop and maintain secure systemsand applications
Implement Strong Access ControlMeasures
- Restrict access to card-holder databy business need-to-know
- Assign a unique ID to each personwith computer access
- Restrict physical access tocard-holder data
Regularly Monitor and Test Networks
- Track and monitor all access tonetwork resources and card-holder data
- Regularly test security systems andprocesses
Maintain an Information Security Policy
- Maintain a policy that addressesinformation security
PCI Compliance Help For SmallBusiness that are limited on their IT Security Bugdet
In order to find out if your businessis PCI compliant, the first and most crucial step is to complete a PCI Self-Assessment Questionnaire. By following this process, you will determine whether your business is compliant. If not, there are established steps you can take to achieve regulatory compliance. Please feel free to contact me if you need information or help withthe PCI Self-Assessment Questionnaire.
No comments:
Post a Comment