Guest Column | June 8, 2020

Why Is PCI Compliance Still So Important?

By Rob Chapman, Cybera

PCI QIR Certified

Risk is any situation that involves exposure to danger. Whether you work in a big company with a dedicated risk management group or a small shop—where the CEO is also the janitor, cashier, bookkeeper, and everything in between—all of us must manage risk. The ability to alleviate business risk is exactly what makes PCI compliance so important right now.

If you talk to any reputable information security person, they’ll often describe risk as their highest priority. That’s essentially what I get paid to do. Don’t get me wrong—everyone at work expects me to stop hackers, protect customer and employee data, and keep us compliant with the various regulatory frameworks. But the underlying thread to everything I do is fundamentally risk management.

Given the fact that we’re in a global pandemic, you might wonder why PCI compliance is still so important right now. Why worry about PCI when the entire world is scrambling to re-open safely and recover as quickly as possible?

Here are three big reasons why you should care about PCI compliance right now, along with some insights on how each impacts your bottom line while helping you manage risk.

1. PCI compliance lowers the risk of employee theft.

Managing risk includes thinking about how to reduce employee “shrink” in retail environments. It might seem almost villainous to even mention employees right now, many of whom have been on the front lines during the pandemic to serve us. The reality is that in nearly every economic and business crisis, shrink tends to rise. But if you follow PCI controls, you’re more likely to quickly identify shrink and keep it lower.

If you’re wondering how and where to start, try this:

  • Make sure your site cameras are in good working order. At a minimum, you should have cameras covering your registers, your back-office computers, and the network equipment that connects everything.
  • Use least-privilege access. Don’t extend full admin rights to everyone for your POS and back-office computers. I see this issue more than just about anything else at customer sites. Stores just aren’t very good at restricting employee access on an as-needed basis.

2. PCI compliance helps stop cybercrime.

Reports of rampant cybercrime during the pandemic are everywhere. We’re fighting more phishing attacks as well as attacks on remote working environments. I can’t tell you how to stop all cybercrime but following basic PCI compliance guidelines will help reduce a lot of it. Here are a few good places to start:

  • Turn on multi-factor authentication (MFA) for any service that offers it. That way if someone can guess or steal your username and password, they would still need to access your phone or other second factor to steal your information. Using MFA is probably the single-biggest improvement to security you can make, and email is a relatively easy place to start. Simply conduct an online search for “MFA ” to find guidelines on how to set up MFA for email.
  • Introduce strong segmentation across your network. For example, your POS systems shouldn’t be able to talk to anything else on the network unless necessary. That means I shouldn’t be able to access your guest Wi-Fi and remotely log into your POS. Using tight segmentation controls will help prevent hackers from easily accessing your critical financial and customer data via less secure systems.
  • Define clear firewall rules to prevent unauthorized traffic from going in or out of your network. Too often I see firewall rules that are either not turned on or misconfigured in a way that allows more access than a store realizes. Tightening up your basic firewall rules can help prevent intrusion.

3. PCI compliance helps prevent unnecessary fines, fees, and other costs.

When it’s performing an annual PCI review, your bank will often ask for the results of your self-assessment. If they discover that you’re not PCI-compliant, you can expect to see fines and possibly higher transaction fees for card processing in the future.

Trust The Experts

The best advice I can share about PCI compliance is to rely on your trusted technology partners and vendors to help you understand risk and how you can better manage it. You’ll find that most companies are eager to help you make sense of these types of issues and provide a variety of PCI compliance solutions to match your specific business needs.

About The Author

As Director of Security Architecture at Cybera, Rob Chapman is responsible for the company’s overall cybersecurity architecture and PCI compliance initiatives. During his career, he has focused on areas ranging from academic and enterprise technologies to Big Data and audiovisual systems. Chapman has a Masters in Educational Leadership and Instructional Technology from Tennessee Technological University. He currently resides in Columbia, TN.