Mitigating Risks During Payments & Customer Transactions

39
Mitigating Risks During Payments & Customer Transactions

Such is the intensity of the battle against cyber-threats, the legacy defenses of anti-virus and office firewalls are no longer adequate without additional support. As customer-facing organizations come under attack, they are looking to work in tandem with solution vendors to cover off all the angles and aspects that make them, and their customers, vulnerable to risk.

At the same time, compliance with regulatory mandates and legislation – often intended to protect customers – has evolved to become increasingly problematic and it’s a challenge that organizations must solve.

According to a recent poll carried out by SentryBay on Twitter, the infrastructure of over 21% of surveyed companies had either failed key Payments Council Industry Security Standards Council (PCI SSC, the Council) assessments or was non-compliant with the PCI Data Security Standard (DSS).

These standards are designed to assist companies to maintain high security benchmarks when processing customer card payments or handling customer transactions. They mandate those organizations maintain a secure network and systems to host transactions, including a properly configured network firewall to protect cardholder data and restrict data access to those with a genuine business need. They are an essential part of the ecosystem, helping to engender trust between the organization and its customer base.

Also Read: Insider Threats: How CISOs Can Prevent Them

However, this is clearly proving difficult. The poll went on to find that when respondents were asked what the biggest challenges were to ensuring compliance, 30.7% said it was too complex while 23.6% thought that that the contradictions of the process were the biggest barrier. This is a common refrain, with many organizations frustrated by the need to address numerous security requirements alongside the standards, which they often found to be at odds with each other. It is unsurprising that over 29% of people who responded to the survey said that they had no confidence in their own company’s compliance with it came to PCI DSS.

The impact is obvious. 15% of respondents reported that their organization experienced a security breach in the past year as a likely result of mishandling payment card or related information, while another 20% said they do not even know whether they have been breached due to such mishandling of data.

This is despite a high number recognizing the dangers of email phishing (37.5%), keylogging (21.4%), screen scraping (20.8%), and spyware (20.3%) as important vulnerabilities for cyber attackers seeking access to customer or corporate data and intellectual property.

Delving deeper, more than 50% of respondents in the survey said that they either believe PCI regulations are not fit for purpose or need adjusting for the hybrid working models that so many organizations are adopting post-pandemic.

While achieving PCI compliance is not an easy task, maintaining it is even harder – especially with the deadline for the introduction of PCI DSS v4.0 now looming. Currently, some 12 key requirements are unlikely to change – but the main goal has become to promote the achievement of security as a continuous process, rather than a discrete project or single task that can be finished in one swoop and filed away as ‘complete’

For businesses that are trying to manage their evolving security landscapes as the workforce remains in flux following the pandemic, addressing the numerous security requirements of PCI is a daily task and over 24% of respondents said that educating employees on PCI compliance was their biggest challenge.

These compliance requirements, however, are not intended to cause further issues but to actually help protect organizations from cyber threats. The difficulty is that businesses have a lot to deal with right now. They are struggling to keep pace with an expanding cybersecurity landscape with threats developing in parallel with a workforce which is ‘fluid’. Some employees are continuing to work remotely, others are back in the office, and the vast majority is splitting their time between both. This is not a situation that is likely to change in the near future.

Also Read: SD-WAN Solutions to the Rescue of IT Leaders

It can be a challenge to decide on the best approach to take, and the fact is that there is no single offering or solution that can solve an organization’s security, privacy and compliance needs in isolation. Instead, a multi-layered approach that integrates complementary products and services is typically required. Such an approach must incorporate thought-through policies that enable organizations to block cyber threats and proactively address gaps in compliance.

Both data security and compliance are common issues that cross every touch point of the customer journey, and companies do need to have confidence in the standards and in their own ability to adhere to them, even if this is very tasking. The aim should be to work towards being compliant and secure simultaneously and this might mean adjusting the culture of the company to address all the layers of security that are required to meet the standards. While this might seem to be a high hurdle, it will be absolutely worth doing to ensure best practices are implemented and the race towards reducing vulnerability and ensuring compliance is won.

For more such updates follow us on Google News ITsecuritywire News