For merchants, there is an all-too-common tendency to “fire and forget” when using security tools. Sure, you may have just completed your most recent PCI DSS (Payment Card Industry Data Security Standard) assessment, installed new antivirus software or added EMV, but you’re far from bulletproof. While each of these steps can offer fortification to your business’ overall security posture, it’s a mistake to think that security is something that can be achieved with any single validation, update, implementation or a new process. As I’ve often said, there is simply no silver bullet when it comes to security.
The concept of 100 percent complete security is a myth. Any time I see somebody publicize that their system is completely unhackable, all I hear is “I dare you to prove me wrong.” When you make statements like that, you are inviting an Ocean’s Eleven-style heist on the proverbial 5-pound diamond of card data that you’ve locked away in your virtual vault.
Imagine this: Instead of keeping the 5-pound diamond behind your so-called impenetrable fortress, what if you were to replace it with a 5-pound sack of potatoes? That way, if Ocean’s gang burgles its way into your data vault, all they end up walking away with is a bag of hash browns (that they will have to split 11 ways). That is what Shift4 does. In addition to EMV, we encrypt and tokenize card data so that what’s left in the merchant’s payment system is of little to no use to hackers – and certainly not worth the trouble of breaking in to steal it.
EMV is a step in the right direction and has its merit, but it is nowhere near the end-all be-all security savior that it has been described to be. In fact, it is more of a card-authorization tool than an actual card-data security tool. Be wary of those who oversell EMV beyond what it is actually capable of.
As 2016 begins, we encourage you to consider three ways that you can reduce your risk and better secure consumers’ payment card data:
1. Vet the tools and operations throughout your entire environment often.
You can implement as many security tools as you like, but they won’t do you much good unless they are quality solutions that are chosen carefully, installed properly, and evaluated frequently. You need to get into the habit of regularly monitoring the solutions and operations within your own environment to ensure that they are as secure as possible and PCI compliant. One forgotten server, poorly secured entry point, or weak password can be all hackers need to wiggle their way in and help themselves to a buffet of all-you-can-steal card data before you even know it happened. Be sure that the individual(s) you are relying on to maintain the integrity of your operating environment has the ability and clearance to make informed decisions.
3. Consult the PA-DSS implementation guides to ensure that all tools are being implemented and used according to PCI guidelines.
When you install new solutions or update existing ones, make sure that the prerequisites are understood and applied according to the PA-DSS (Payment Application Data Security Standard) implementation guides. You should treat these implementation guides as the “PCI gospel” as they provide detailed information about how your business can implement a payment application securely and accurately, as well as your responsibilities for maintaining security in order to be PCI compliant with a particular security technology.
As explained in the PCI DSS, securely implementing payment applications is a key way for merchants to ensure that they have a compliant environment:
“Use of a PA-DSS compliant application by itself does not make an entity PCI DSS compliant, since that application must be implemented into a PCI DSS compliant environment and according to the PA-DSS Implementation Guide provided by the payment application vendor (per PA-DSS Requirement 13.1).”
These implementation guidelines are an essential part of your PCI DSS compliance. And, although we recommend taking further steps to maintain an environment that provides security above and beyond compliance standards, being compliant is the minimum standard to meet prior to exceeding it.
It should be your goal to continue to make it harder for thieves to steal CHD. But like most things these days, you need to routinely check in to ensure that all is still well with the world as it relates to your payments. The fortification that works perfectly today may develop a chink in its armor as time goes on if you are not performing regular checks on your environment. With today’s hackers being organized and funded by nation-states, false nation-states and terrorist organizations, maintaining the security of your payment processing environment isn’t just harder – it’s more important than ever before.
Remember, rather than an achievable end goal to meet, think of security as a constantly moving target. You need to be vigilant and rely on payment solution providers who are ever-vigilant, too.
About the author:
J.D. Oder II serves as Shift4’s Senior Vice President of Research and Development and Chief Technology Officer. J.D. is a Certified Network Engineer with more than 15 years of experience. He leads Shift4’s systems operations and development efforts as well as the security and compliance teams. J.D. is the architect of the DOLLARS ON THE NET® payment gateway solution. He was also an early adopter/member of the PCI Security Standards Council.
