Watch to learn tips and tricks to help businesses best meet PCI DSS requirements in a fast, easy, and accurate way.
Having issues accessing the video above? Watch the video here.
Sam Strong, Product Manager
“Let’s address the elephant in the room: when we talk about PCI, the first thought is that it’s complicated, hard, and illusive,” Sam explains to attendees.
But, understanding the inherent risks of life and the actions we take to mitigate those risks can help us accept the fact that there are good reasons for compliance. You want your customer to be able to get in, spend money, and get out with as little problem as possible. That’s where data security and compliance come in. Once you understand that the requirements were created to help protect you, they don’t feel like such a hassle.
Once we understand the importance and purpose of compliance, you can understand them for what they are: actions that mitigate risks and prevent worst-case scenarios. You will naturally appreciate that your solutions need to be powerful and effective. Sam goes on to illustrate the ways that actively addressing risk becomes “easy breezy” when you gain a deeper understanding of its importance. Further, Sam outlines a few tips and tricks to help businesses best meet PCI DSS requirements in a fast, easy, and accurate way.
This webinar was hosted on September 24th, as part of SecurityMetrics Summit 2020.
Hi, and welcome to the SecurityMetrics Summit twenty twenty. My name is Sam Strong, and I am a PCI product manager at SecurityMetrics. Today, I'm very excited to talk about simplifying your PCI validation annually, as well as addressing some security concerns as well.
You know, compliance can just be a checklist and a checkbox item, but really what it should be is the first steps towards addressing the gaps in your security for your business and building a powerful data security solution, not only for your own business, but for your customers and for your employees as well to protect their information.
The three primary topics I wanna address today is, first, reviewing the complexity of validation, you know, what makes it so complicated, how to simplify those requirements, how to make it as easy as possible, and achieving your security and risk goals for your business. So let's first address the elephant in the room. Whenever we talk about PCI, you know, the first thought is it's too hard and it's so complicated. And why? You know, why is it so complicated? Why is it such an elusive process?
Before I jump into that, I wanted to stress the importance of PCI and what it means for you. You know, there's a there's a lot of inherent risks and a lot of the things that we do in our lives. And an example I wanted to use is driving a car. So a car is an absolute convenience, and it's an amazing piece of machinery that we can use to get around quickly. We don't have to ride around on horses anymore or carriages. We can instead drive where we need to. We can go point a to point b very quickly.
But there's a risk to operating a car on the on the road.
And there's certain things that we should do to mitigate that risk. You know, we should make sure our tires and our lights work. We should pass certain requirements, you know, safety and emissions tests. Cars need to be operated by a licensed operator who has taken tests and been approved to be able to operate it.
And in all these things, we kind of mitigate the risk of operating cars as much as possible, as well as, you know, traffic laws and these things. So these requirements, while they can sometimes be seen as a hindrance to our ability to drive cars, it really is about addressing and mitigating that risk to driving a car, similar to a credit card. You know, a credit card is an absolute convenience in our lives. It's really easy to just swipe the car and we make the payment.
We can go on. And as a business owner, that's what you want. You want your customers to be able to come in, get their service or their product as quickly as possible, and give you the payment as quickly and as easily as possible as well. But just like a car on the road, there's inherent risks to processing, transmitting, storing, and accepting credit cards.
You know, there's a lot of data there that people wanna steal, they wanna take advantage of. And it's kind of our responsibility, just like your responsibility to make sure your car can be driven safely on the road, that your business can safely handle this this information. And that's kind of where data security and compliance comes in.
You know, once we recognize the importance of these things, they're not really seen as a hindrance, but as a necessity for our business, especially when we consider the alternative. You know, if we do experience a data breach or this information is stolen, that can be, a business ending in event, and I'll cover that in a little bit as well. I'm not gonna do a deep dive into the actual requirements, or or the actual PCI, data security standards, or this presentation would be much, much longer than it's going to be. However, I did wanna just quickly review some tips and tricks on how to simplify and and review also what are the primary requirements and why are they important? Why are they effective for data security and mitigating that risk?
So why comply? You know, once you understand the requirements and I think it really comes down to understanding, you know, and knowledge. Once we understand the importance of it, it makes a lot more sense. You know, if you're not technically minded, a firewall doesn't really make too much sense. But once you begin to understand the importance of controlling traffic in and out of your business network and how easy it is for data to leave, you'll understand the importance of a firewall. So when you get to the first requirement in the PCI standards where it's, you know, protect your systems with a firewall, you'll understand why you need that and why it needs to be powerful and why it needs to be more than just checking a box. It needs it's critical to protecting this information and your customers' information as well.
And, really, once you start looking at PCI compliance through a security lens, meaning you understand what you're doing and why, You, you'll actually understand how it's protecting your your business and customer information.
And it means addressing those risks I mentioned earlier. The change in perception really is one of the biggest steps to simplifying the PCI requirements and making it easier to meet those. A lot of merchants have the perception that they are too small to be targeted or that they should just be able to plug in the terminal and should be able to do everything and handle all of my security. But, unfortunately, that's just not the case. Many small businesses are targeted and experience data breaches every single day. And for many of them, these breaches are so severe that they need to close the business, which is never a good thing, and I'll review that later as well.
You know, the reason I keep coming back to this this, this perception or this view of security and why I keep harping on this instead of jumping into the requirements is I feel that changing your perception, sorry, of what PCI compliance is and understanding the importance of validating to it greatly helps simplify the process of becoming compliant. You don't see it as such a burden. You instead see it as, again, a necessity for your business and something that you want to achieve and maybe even go further. Like I said, compliance is just kind of the first steps towards data security. And it's nice to check that box. But it's something that you need to be aware of if you want to accept and handle and transmit and store credit card details, any of those. Even if you're not storing, we need to meet that as well.
The, the other, advantage to that is it boosts your customer confidence, in your business. You know, you can even put out a certificate on the wall or whatever you're gonna however you wanna advertise on your website that you're PCI compliant. It just gives that extra layer of legitimacy to the operations of your business, and it protects your clients. You know, they're not experiencing data breaches and being contacted by their by their, their payment brand like Visa and being asked why their their card is experiencing these these breaches.
So, again, once we understand the importance of PCI compliance and meeting these requirements, just as we understand the importance of meeting the requirements to drive on the road, what exactly can we do to make it as simple, and how can we meet those requirements as well? And and do it in a way that doesn't, you know, eat up all of our time. We still need to run a business. We still need to do these things, to ensure the successful, our successful business dealings, but we do wanna spend some time ensuring that we can do that safely.
Well, I wanted to read a quote. You know, simplicity boils down to two steps, identify the essential and eliminate the rest. And this is very, very true for PCI compliance as well.
We wanna identify what is essential to protect our business and what is not. And what that's called is really identifying our scope, and I'll get into that in a minute. But one my first kind of tip or trick or whatever you wanna call it to make PCI simple PCI validation as simple as possible is just start writing things down. Start documenting, you know, how credit cards are actually handled at your business, even if it's as simple as process as, you know, they walk in and they hand you the card and you swipe it and that's it.
There's a lot of other things to consider. You know, do you have a website that accepts cards? Do you accept mail in payments? How do customers interact with making these payments? Do they hand the card to your employee? What does your employee do with the credit card after that?
Do you keep receipts? Are they printed? Are they emailed? How are those stored?
You know, do your computer sorry. Do your employees have to log in to the computer to run payments?
How are their passwords managed? Do they all share a login? You know, just asking yourself these simple questions. You'd be surprised how many merchants don't really understand how their businesses actually ran from a a processing a credit card processing perspective. Just writing down these asking yourself these simple questions and writing down the answers goes a long way in addressing the PCI validation and requirements.
Tons of the PCI stuff is is related to policies and procedures and having it written down. Just writing down these processes and getting the picture in your mind of what that what it looks like is a huge step towards achieving PCI compliance, and it's, you know, a simple exercise. You know, you just sit down, take ten minutes to write this out. An added bonus, of course, is not only understanding your business and maybe even addressing things you weren't aware of. You know, when you ask your employees, how do you handle the cards, you may be shocked at the answer. And just as easy as that, you can address some risk there.
Once you've taken the time to kind of document your business practices, you'll better understand what's in scope. And I've said it I said that before. In scope just basically means what is within your business that directly impacts, or interacts with credit card information. So the terminal at the front is obviously something in scope, but you may have a computer in the back that, you know, is a is a laptop on a a completely separate network.
And that may not necessarily be within the PCI scope because it does not deal with any credit card information at all. But it's really easy to look at things and say they may not be in scope, and that's why it's so important to determine your scope. But if you're able to reduce it as much as possible and and kind of identify the pieces that deal with credit card information and eliminate the pieces that shouldn't ever touch information or shouldn't be involved with it at all. Reducing that scope really reduce the cost of not only time, but money as well with becoming PCI compliant.
You won't waste time making sure, all these other devices and items are compliant when they really don't need to be. And so that's another tip, if you wanna call that, another tip to, making PCI compliance, and simplifying that process. An easy processor and simplifying that process is identifying your scope, which you can look at what you writ you what you wrote down, and you can identify what's needed there and try to eliminate the rest just as the quote says.
I wanted to touch on network segmentation be briefly. You know, speaking of removing things from your environment, removing things from your scope, one way to greatly simplify your PCR requirements is to, do network segmentation. And what that means is just dividing a business network into smaller pieces. So say you have five computers and a payment terminal, on one network all sharing the same connection, that means all five computers are on that same environment.
So they're all part of the PCI scope. They're all related to your credit card processing. What you can do is take those five computers and segment them and and split them onto their own network. And then that way, you've completely eliminated those five computers from your PCI scope and greatly, simplified your validation.
I'm really simplifying things here, and, I won't go into detail on how it's actually done. But it's something something to consider when you're when you're first beginning PCI validation is to consider how do I, segment a network.
And, you know, if you want more information on that and and segmentation and what that means for you, SecurityMetrics has tons of resources to do that and to identify those things.
Okay. So now that you've written things down, you've identified your scope, You've eliminated things that, you know, you don't really need to be in scope and kind of narrowed it down to here's the process that I want, and I've written it down. Another tip of what you need to do is train the staff on these things. You wanna make sure these policies are written down and and disseminated to your employees. Meaning, you know, if you have a policy that credit card receipts, for example, should be shredded at the end of the of every day, You'll want to make sure that's written down as a policy and then train your employees on that so that they're shutting those receipts. And that's another way to really reduce the, risk of handling the sensitive data, meets PCR requirements, but also goes towards that security that I was talking about before and reducing that risk.
You know, every policy, no matter how small, kind of contributes to reducing that risk and mitigating that. Just as, you know, a car, you have all these different pieces to operate it. Your business will have all these different pieces and policies and procedures to address the overall goal of reducing risk for handling data.
Okay. Now we've written things down. We've identified our scope. We've removed or added things as needed. We've formalized the policies and procedures and trained our employees. You're gonna be well ahead of the curve. If you've done these these steps even before you begin validation or even during, you've you're well ahead of the curve in meeting PCI require or all the PCI requirements and validating and becoming PCI compliant.
These steps will greatly simplify your validation, but it really never hurts to have a expert in your corner as well, someone to consult with even as you're doing these steps or or, you know, as you're trying to comply.
And so for this reason, I highly suggest using a security professional or a compliance professional, such as SecurityMetrics.
This way, you'll have resources, you'll have help and guidance, as you progress and close those security gaps in your business. But, again, just following those simple steps will go a great way towards, you know, simplifying your compliance.
The last thing I wanna review was just the reducing risk and enhancing your security. I do hope some of what we've some of what I've covered very quickly, will help you understand the importance of compliance as well as how to simplify these processes. As I said before, PCI compliance, it's really just the first steps towards data security.
And while, again, it's great to check that box, you really should be looking forward to the future. You should be, looking forward to once I become compliant, what are my next steps? How do I further reduce risk and enhance my security for my business? And I wanted to quickly just cover some of that. You know?
You've already got policies and procedures in place. You have PCI documentation, how things are handled. Your your employees are trained and have expertise.
But there's other things that you need to do. You know? You need to keep your systems updated, like your antivirus, your operating systems, and these are in the PCI requirements as well. But these are ongoing things.
You'll wanna continually change passwords. You'll want to make sure you're only storing what's necessary. You don't wanna store a ton of data that you don't need. You wanna regularly test this and then consult with advisers.
If you have the resources and the time, that's a great next step to do as well. Once you've achieved compliance, it's just to, you know, have someone consult you on what the next step should be to really protect your business.
Like I said, you know, PCI compliance is the first step towards data security. And no matter how small you think your business is and and how daunting this task might be, it is truly important because a lot of small businesses are targeted. And it's really a move towards full data security, and that's something that we all want.
The, the other side of of, you know, achieving security is also reducing the risk of fines, fees, lawsuits, just these unnecessary catastrophes that can, you know, mean, the end of your business potentially. And I don't wanna fear monger anything, like that. I just wanted to kind of review what the risks are. You know, forty three percent of cyberattacks, cyberattacks, sorry, are aimed at small businesses. This was in a report last year. Forty three percent of cyberattacks were at small businesses, and the average cost of a data breach is two hundred thousand dollars.
Of those breached, over sixty percent of these small businesses were actually closed within the year. So you kind of see why it's so critical to maintain these standards. A lot of these businesses that were breached and experienced this two hundred thousand dollar finer, even more, or it could have been less, could have easily been avoided if they were PCI compliant. And it's really the it's really about building your defenses against these types of attacks. It's just an unfortunate reality. It's an inherent risk to accepting cards and to operating a business. But I hope what I've covered today will kind of help you, realize the importance of it, but also just some small steps you can take to begin building that data security plan and meeting PCI validation at the same time.
And that's it. Thank you so much for joining me for this presentation. I do hope this information I know it was very quick, quickly covered and and kinda went over some basics, but I hope it was useful. And if you have any questions, feel free to reach out to SecurityMetrics or myself, our fantastic sales team. And I really hope you enjoy the rest of the SecurityMetrics Summit. Thank you.
.svg)
