PCI is a strong security Framework. If you are a business owner, you have probably heard about the PCI DSS (Payment Card Industry Data Security Standard). All organizations that store, process, or transmit payment card transactions must adhere to these requirements, and they must formally attest to their PCI DSS Compliance annually. PCI DSS compliance requirements are strict- and for a good reason. Hacking and cardholder theft affects millions of consumers each year. Your organization needs to attain compliance quickly and easily, and integrate PCI best practices into your daily processes - This is referred to as a Business as Usual (BAU) approach to a security program.
Whether or not your core business revolves around payment card transactions, PCI DSS can be a great place to start with a comprehensive and robust security program for your business and your customers.
PCI DSS is developed and maintained by the PCI Security Standards Council (PCI SSC) to provide a set of requirements for the prevention, detection, and reaction to cardholder data security breaches. These standards are designed to protect merchants and their customers from breaches that could negatively affect their business, finances, and reputation. If you are a merchant who accepts credit card payments, you are responsible for securely storing, processing, and transmitting cardholder data. Even if you are NOT an online merchant, you certainly have customer data that you are responsible for protecting.
PCI DSS compliance requirements are “strong security” which is a critical part of running a successful business, though often overlooked by small and medium-sized companies. Operating in a PCI compliant manner is good business, and your customers will respect and appreciate your strong security governance posture which will in turn drive more business. You should secure others’ payment information as you would your own. Protect your customer's information with the same rigor you would use to protect yourself. The PCI Data Security Standard can help you do just that, whether payment tractions are a core of your business model or not.
To be PCI compliant, your business needs to implement and maintain a series of requirements that secure payment transactions and information. The number of transactions you complete each year determines the level of validation effort that you must perform annually. It’s a little complicated, but there are four levels of PCI DSS validation. In general, merchants fall into the following categories based on the number of transactions they process annually.
- Level 1: Over 6 million card transactions per year
- Level 2: Between 1-6 million card transactions per year
- Level 3: Between 20,000 to 1 million card transactions per year
- Level 4: Fewer than 20,000 card transactions per year
The amount of effort that you are required to put into validating compliance every year, and the specific processes that you need to follow depend on the level you fall into above.
There are a lot of complex technical requirements that must be met to secure card data such as router configurations, database configurations, encryption keys, access controls, and intensive file monitoring. Truvantis is a Qualified Security Assessor Company (QSA Company), which means we are one of only a few hundred consultants in the country that are certified to perform PCI DSS assessments. We have a team of highly-seasoned security professionals who can help you find the easy path to security governance and compliance. PCI DSS compliance may seem overwhelming. If your head is spinning right now, then there is just one thing you need to know to simplify the entire PCI process: Get a Qualified Security Assessor Company (QSAs) to help you establish and maintain your security compliance program.
Here are some of the things your business must do to become and maintain PCI DSS compliance - but there are hundreds:
- Create a security policy for your business that addresses all aspects of the PCI DSS
- Only allow employees with a business need to have access to credit card numbers
- Never share user IDs and passwords or use of group user accounts
- Use strong passwords (at least 7+ alphanumeric characters) for all system access
- Immediately disable access for all terminated employees
- Secure and regularly examine all Point of Sale (POS) swipe devices for signs of tampering
- Secure all your business computers by installing and activating personal firewalls and anti-virus/anti-malware software and disabling all generic or default user accounts and passwords
- Never store the CID/CVV2 card security code in any format, in any way, ever (the three-digit number on the back of Visa/MasterCard/Discover cards, or the four-digit number on the front of American Express cards)
- Never store the magnetic track data from any card, in any format, in any way, ever
- Encrypt ANY electronic storage of full credit and debit card numbers
- Keep any paper documents containing a full credit card number in a secure location (locked file drawer/safe) when not in use
How to integrate PCI DSS compliance into your daily processes (BAU)
Making PCI DSS and security compliance requirements a core part of your business process will make your customers more aware of issues surrounding security. You can let customers know you are serious about your PCI DSS Compliance requirements by:
- Making sure you only collect credit card information on a secure webpage. Look for the lock icon and the “HTTPS” in the browser bar.
- Always asking for the CVV security code when processing a telephone or online payment. Your payment processing method should never store this information. By asking for this code each time, you are confirming that the person authorizing the transaction has the card in hand.
- Telling your customers that they should never send credit card or bank account numbers via regular email. You can remind them by always including a security notice in the footer of your emails that the communication is not secure and to not reply with account numbers or other sensitive personal information.
The steps above are some of the ways to ensure that your processes are PCI DSS compliant. Customers can rest assured that you are doing everything possible to protect the credit card and other personal information they entrust to you.
A brilliant (and cost-effective) way to rapidly achieve, maintain, advertise, demonstrate, and benefit from strong security governance and compliance is by utilizing a vCISO or CISO as a Service. Rather than hiring a full in-house security team which is difficult to find and expensive, Truvantis can provide the best experts, at a fraction of the cost, when and where you need them.
What is a vCISO or CISO as a Service?
All organizations need experienced security leaders to drive critical initiatives and align resources to address pressing business needs. Unfortunately, proven CISOs (Chief Information Security Officers) are both rare and highly sought, making hiring and retaining a quality, full-time CISO a daunting (and expensive) challenge.
For organizations struggling with the realities of cost, a limited local talent pool, and the need for broad-level expertise, CISO as a Service is a practical solution to achieve short- and long-term objectives.
CISO as a Service, sometimes called vCISO (virtual Chief Information Security Officer), is an alternative security program and leadership strategy that leverages a flexible, rapidly scalable resourcing model to provide near-instant maturity and credibility to your security governance and compliance program.
Truvantis’ vCISO program embeds seasoned cybersecurity consultants within the environment to help lead initiatives and assist with program development, maturation, and management.
Our security business leaders apply expertise wherever it is needed. We leverage combined experience to deliver key security program competencies and help achieve your specific organizational goals. We can manage cybersecurity risk, lead incident response efforts, identify exposures, and prioritize activities to continually optimize the security program and align it with business needs. Our virtual security officers manage and mature security programs.
These can be:
- Program development and management
- Board-level coalition building
- Policy and standards development
- Security awareness
- Security controls
- Security metrics
CISO as a Service Cost
A key benefit of the vCISO approach is that you only pay for the security leadership and projects that you need. The service scales up or down to meet the scope and pace necessary to achieve your unique security requirements and goals. A smart value play--it puts a virtual information security officer in place, driving improvements to security posture and having them at-the-ready should an urgent need arise. CISO as a Service gives you the expertise and leadership of a high-caliber CISO at a fraction of direct-hire cost.
When to engage a vCISO?
As increasing threats, more sophisticated cyber-attacks, new compliance, and legal requirements, and demands on security governance continue to grow, the time for security leadership being an afterthought of responsibility and not someone’s clear priority has passed. Today there’s just too much at stake from business continuity and brand reputation perspective to not have someone experienced driving efforts to minimize risk and prevent potential damage.
Most often, the decision to hire a vCISO usually follows a compelling, usually challenging event. Some change in the environment makes the need quite clear. Additionally, your customers are becoming more and more demanding about your security practice and posture. This usually comes in the form of security and compliance due diligence questionnaires that your sales teams are always complaining about. It is just a fact these days that better security equals more business. At Truvantis we specialize in providing the best possible cybersecurity leadership in a pay as you go format.
We will work as a team with a vCISO client manager to provide cybersecurity leadership and program management directly to our clients:
- Providing advice and guidance to clients on a wide range of cybersecurity topics
- Writing policy and governance documents to build up your cybersecurity program
- Performing qualitative Security Risk Assessments so you can understand where to make smart investments in your cybersecurity resource allocation
- Leading internal audits to ensure your environment stays secure all year round
- Planning and running training exercises to help your employees practice how they will respond to a cybersecurity incident
- Responding to security questionnaires from your customers so you can grow your businesses
- Assisting with evidence collection to help you prepare for external compliance audits
- Advocating and attesting on your behalf to show your customers (and regulators) that you embrace strong security and that you mean business
Use cases for engaging a vCISO:
I will bet that you’re seeing more and more security questionnaires from your customers and prospects. As a trend, security due diligence has become the standard operating procedure. Not only are a growing percentage of organizations mandating security questionnaires as part of their vendor risk management (VRM), but also the length and complexity of the questionnaires keep growing so they take longer for you to complete. Deals and contracts depend on these questionnaires being completed and returned, and a vCISO could be the right solution here. Not to mention a CISO as a service will help you address the security gaps that may be giving your customers second thoughts.
With new regulations like CCPA, CPRA and GDPR increased security governance maturity is a requirement. Being able to prove you’re secure and compliant is part of today’s business paradigm. There is just no getting around it. When you need to quickly determine the best course of action and start moving forward with improved controls and capabilities across systems and data, you need expert advice you can trust. Leveraging a vCISO as an extension of your team could be the ideal way to develop and drive business-critical programs, show progress where it counts most and keeps you out of trouble with regulators, clients, and your board.
Maybe you’ve just suffered a breach or other information security incident. You quickly need to make sure your environment is safe, analyze the attack, address stakeholder concerns, rebuild your data, and remediate your biggest gaps. If you don’t have adequate expertise and bandwidth in-house to take all that on in a hurry, a virtual CISO can be on the job right away. The Truvantis team has the knowledge and experience to guide your business through the aftermath with confidence.
If any of these scenarios above sound familiar, contact Truvantis. You might be surprised how quickly a vCISO service can turn things around, build momentum, and improve your security posture in both the short- and long-term.