PCI Compliance: A Piece of Website Security

September 9, 2014 in Cyber Attacks

If you think for some crazy reason your business is too small, too obscure, or simply just too uninteresting to be of any value to a busy hacker, be prepared for a rude awakening. The one thing the all of the recent major data breaches had in common is that all the businesses involved were probably PCI compliant. And it was still no guarantee.

There has been a seemingly endless parade of massive data breaches in just the last few weeks, including UPS, Dairy Queen, Community Health, Apple’s iCloud, the 1,000 businesses the FBI said were just hacked, and, oh yes, the suspicion that Home Depot just suffered a data breach even bigger than Target’s.

So tell me, are you feeling lucky? Or is it that you think your security is way better than these unfortunate victims? The security bottom line is now becoming very clear. You will be hacked. Sooner rather than later, you’ll end up joining this parade. And it could cost you dearly.

So if I’ve got your attention in any way, is there anything you can learn that might help you put off that awful day? Or at least minimize the pain?

  • While not all breaches are about credit cards, the hackers will take them anyway. Even if the cards are all quickly cancelled and rendered useless, many hackers don’t care about the credit cards themselves. They care about reputation and infamy. The bigger the haul, the bigger their reputation grows.
  • Get PCI compliant, and make sure you live it and mean it. Too many companies only think about compliance when they’re being audited, and get lazy and complacent in the months in between. Guess what? It’s those months in between that create the opportunities for hackers.
  • It’s mainly about easy targets and back doors, so focus on them. While the PR responses to some of the biggest data breaches have described the attacks as advanced and sophisticated, in many cases they were actually so easy they were embarrassing. For example, in both the Target and eBay breaches, which between them affected more than 200 million users, the attack started by tricking untrained employees into opening infected emails.
  • If you have point-of-sale terminals in your business, be very wary. The latest malware used in some of the biggest companies that had the most security, was targeted at PoS systems that were not properly set up or guarded. Talk to the provider or manufacturer, update and upgrade if you need, fix any vulnerabilities, strengthen any passwords, and check on any security advisories.
  • Stay informed. Hackers are changing their tactics daily and are hoping that if you’re just a day behind, you’re toast. For example, hackers recently upped the ante in the constant battle against drive-by downloads by pushing out a new type of fileless malware that is much harder to detect. Experts are struggling to detect this kind of malware even when they have advanced tools and know what they’re looking for. Which means your only option is to protect your website from this malware in the first place.

PCI compliance was never meant to be a guarantee of security, just a good starting point. But you have to start somewhere. And if you think PCI compliance isn’t that important, imagine what will happen if compliance is extended to your website too? There’s growing concern that with so many unprotected websites, mandatory website security can’t be far away. For a free analysis of your website security needs call SiteLock at 855-378-6200.

Google Author: Neal O’Farrell

Latest Articles
Follow SiteLock