By now, most of us have heard the terms PCI compliance, PCI DSS, or Payment Card Industry Compliance Data Security Standards. If you need a refresher before we dive in, review some quick PCI DSS facts. These terms have been flying around for quite some time and merchants have been complying, or attempting to comply, for years. If merchants are complying it begs the question, why do we still see data breaches? The PCI standard was created to build a baseline of security functions to protect card holder data, and it does just that. The standard is a great baseline for a security posture, but in no means does it end with a PCI self-assessment questionnaire (SAQ).
With the development of new payment technologies like more advanced point-of-sale (POS) terminals, we see the overall scope of PCI compliance diminishing. Less credit card data in scope means less risk. However, this line of thinking is a bit misleading because it can give the merchant a false sense of security.
Stepping Outside of PCI Compliance
Installing a new POS terminal does not make the merchant, their data, and their customers’ data secure. An upgraded POS terminal allows the merchant to leverage new technologies to reduce their PCI scope. I was told years ago by a well-known ethical hacker, “if I want to get into your system, I will…it’s just a matter of time.” Those words always stuck with me. I have used them in countless meetings with clients and it still holds true today. The bad guys are usually lazy, and they use the easiest point of entry to steal data. The merchant’s job is to make that point of entry, typically a network with a POS terminal(s), as difficult as possible to break through. As their MSP, your job is to offer them options to secure their entry points. It is also important that merchants have safe guards in place if a data breach does occur.
Managing PCI DSS compliance for multi-location merchant businesses is particularly challenging. Managing network connectivity, security, and compliance are all interconnected. Streamlining compliance management will also help improve your merchant clients’ brand’s security posture while providing greater network performance. So, you might be asking, what should I encourage my merchant clients to do outside of PCI compliance? Below are several steps you can take as a starting point, the start somewhere approach.
- SIEM - SIEM (Security Information and Event Management) is a useful tool to help merchants not only protect their entry points against a breach, but can it can also help them achieve PCI compliance by correlating log data and detecting threats. Netsurion and Continuum have partnered together to offer Detect and Respond - Network and Compliance, a SIEM specifically designed for MSPs, so you can deliver the results small- and medium-sized businesses (SMBs) need in a practical cost-effective model.
- EDR - EDR (Endpoint Detection and Response) protects endpoints such as servers and workstations from zero-day attacks and mutating malware. Endpoints are challenging to protect and represent a soft target for attackers. EDR, coupled with SIEM, takes a leap forward in cybersecurity effectiveness.
- Redundancy Plan - It is recommended that you encourage your merchant clients to put a redundancy plan in place. This plan deals with outages and keeps their business up and running if and when connectivity is lost. When the power goes out or a POS terminal goes down, panic usually ensues. When we panic, we are more likely to make off-the-cuff changes that can open an environment for the bad guys.
- Backup and Disaster Recovery - It is also recommended that you encourage your merchant clients to create a backup and recovery plan. Malware and ransom attacks occur daily. Unfortunately, merchants can end up paying the ransom because they don’t have a backup plan in place, or a recent backup of their data.
- Suspected Breach Action Plan - Merchants should plan and prepare for the worst. They should have a plan in place in the event of a breach or a suspected breach. Encourage your clients to read up on their state laws, offer to be their trusted advisor in the event of a breach or introduce them to a security consultant that specializes in breach action plans. Having a plan of attack in the event of a breach will give you and your client a sense of direction. The last thing you want to do is run around pulling wires and unplugging their network to try and stop another breach attempt.
Protect Your Clients' Businesses and Your Own
Remember to take advice from an ethical hacker: “They will get in, it’s just a matter of time.” As a merchant’s MSP, it is important to help them make it as difficult as possible for the bad guys to access their systems, their data, and their customers’ data. With 60% of SMBs closing their doors after just one data breach, it is important to protect your clients in order to protect your business as well. Want to take a deeper dive into what PCI compliance entails? Check out our solution brief.
By Lily Teplow
By Brian Downey
By Dave LeClair