Personal information is one of the most watched after, most liquid commodities in this digital age. As consumers become more and more aware of the dangers of digital transactions the importance of data security and storage will become more and more pronounced.
Perhaps the biggest problem to face merchants right now is not that they are ignoring security measures. In fact, many of the merchants who have suffered some kind of security breach had spent huge amounts of time and resources on installing security systems. The problem was that these companies simply were not prepared to deal with every area of possible threat. Some avenues may have been completely blocked, but others were unknowingly left wide open.
As more of these stories reach the public notice, merchants will eventually realize that improved data security and storage is just good business sense. At that point we might be able to trust a business to implement those measures on their own. Until then, though, the major credit card companies will rely on the PCI DSS (Payment Card Industry Data Security Standard) to encourage business to improve their security.
The PCI DSS is a list of 12 requirements that any merchant that stores, processes, or transmits sensitive information must conform to. These requirements can be considered the necessary steps to improve your own data security and storage methods.
Begin by controlling the traffic that has access to your system by installing a firewall. Firewalls are devices that control the traffic in and out of a system and can block transmission that do not meet the specified security criteria.
The next step is to change all the vendor supplied passwords that may have come with your security systems. Most of these passwords have already made it into the hacker community and are the first things they'll try as they attack your system. A merchant should change these as quickly as possible.
Once you have the cardholder data, you have to do everything you can to protect it. This includes encrypting all data and keeping stored data to a bare minimum. Physical and computer access to information and encryption keys must also be strictly controlled.
But encryption of data stored on a system is not enough on its own. Not only must data be secured on both end points, but cardholder data must also be encrypted in transit. This is due to the fact that if a hacker can not get to your information while it's on your system, they could try to intercept, modify, or reroute it as it is sent.
Problems to your information do not only come from hackers. Viruses or accidents can crash or otherwise destroy your system, causing a loss of information. A merchant must install and keep anti-virus software up-to-date, and develop and maintain secure systems and applications. Or if you're using third part applications you must make sure that you install and necessary patches and updates.
Access to cardholder data must be restricted to business need-to-know. A lot of trouble has happened in the past because too many people have access to a system. It's in these cases that access has a tendency to spread.
For everyone who has access to the system, a unique ID must be assigned. By doing so it will be easier to identify the cause of any problems that might happen.
There's still a problem with physical access which must also be restricted. Unethical employees could cause problems, or a thief could physically walk out the door with your computers. This is something often overlooked in our digital age.
Monitoring, tracking, and logging must be strictly enforced. If your data security and storage measures happen to be compromised, this is the only way to ensure that you can rectify the problem.
Regular testing is the next step. It's the only way to make sure you can find and plug any security holes before criminals can take advantage of them.
And finally, you need to make sure everyone in your company is aware of these security measures and their own responsibility in keeping sensitive information safe.
By following these steps you will find a couple benefits waiting for you. The first PCI compliance, which carries many of its own benefits. Second, you will be set to engender trust in your customers, who will be more willing to continue doing business with you.