Yes, we’re all in the middle of a global pandemic right now. Businesses are struggling to remain viable or reopen safely as quickly as possible. It’s no surprise that those fundamental issues remain top of mind for business leaders everywhere.
Focusing on the big picture definitely makes a lot of sense. However, there’s one very specific area you simply can’t neglect right now: PCI compliance. But why worry about PCI when the vast majority of the business world is just trying to keep its head above water?
It all comes down to risk—and how to manage it. At a baseline level, risk is essentially any situation that exposes us to danger. Today, many of us are facing elevated levels of risk in both our professional and personal lives. And it’s really easy to feel overwhelmed by that. Yet we can’t stop seeking ways to eliminate (wishful thinking) or at least manage (realistic) risk.
Compliance can make a big impact
If you work in a large company, you might have an entire dedicated risk management team. If you work in a small company, you might constitute the entire team by yourself. Either way, focusing on PCI compliance is a good way to improve risk management.
Most reputable info security professionals would highlight risk as their biggest concern and highest priority. That’s one of my primary responsibilities in my current role. In reality, my company expects me to prevent data hacks, protect customer data, and make sure we comply with industry regulations. But the common thread to everything is risk management.
In addition to helping you manage risk, focusing on PCI compliance can positively impact your bottom line by empowering you to:
Reduce incidents of internal theft
Help stop cyberthreats
Prevent fines, fees, and legal risk
1. Reduce incidents of internal theft
One difficult issue in many retail environments is how to manage internal risk. This includes thinking about how to reduce employee “shrink.” It doesn’t feel good to mention employees as a potential threat right now, especially since so many have been working diligently during the pandemic to better serve all of us.
The reality is, shrink tends to rise during times of economic and business crisis. Carefully adhering to PCI controls can help you quickly identify employee shrink and reduce it. Here are two tips to help you get started:
Limit access. Implement least-privilege access protocols and avoid giving full admin rights to your POS systems and back-office computers. This is probably the most common issue I see at customer sites. Stores must become much better at restricting employee access to PCI-scoped equipment on an as-needed basis.
Keep your site cameras in good working order. Always make sure cameras cover your registers, back-office computers, and the network devices that keep everything connected. Cameras are both a strong deterrent and a good tracker of activities.
2. Help stop cyberthreats
Have you seen all the recent reports on rising cybercrime during the pandemic? We’re also seeing more phishing attacks along with attacks on remote environments. I don’t have the magic words to stop all cybercrime, but you can definitely reduce it by following some basic PCI compliance guidelines, such as:
Segment key parts of your network. Unless absolutely necessary, your POS systems shouldn’t directly talk to anything else on the network. For example, someone shouldn’t be able to access your guest Wi-Fi and remotely log into your POS. Tightening your segmentation controls can prevent hackers from easily accessing critical financial and customer data through less-secure systems.
Use multi-factor authentication (MFA). If someone can guess or steal your username and password, MFA would require them to also access your phone or other second factor to steal your information. That’s why MFA is probably the greatest security improvement you can make. If you want a good place to start, try setting up MFA for email. Go online and search for “MFA <your email service>” to learn how.
Clearly define strong firewall rules. You should always try to prevent unauthorized traffic on your network. I’ve seen too many customer sites where the firewall rules are turned off or misconfigured—allowing more access than the customer realizes. Continually tighten your firewall rules to help prevent intrusion.
3. Prevent fines, fees, and legal risk
If your SAQ reveals any gaps in PCI compliance, you can bet that your bank will notice. And if they believe you’re non-compliant, expect to incur fines and possibly higher transaction fees for card processing. Non-compliance can also expose you to costly legal issues.
We all probably have enough risk to worry about right now without adding PCI compliance risk to the list. The best advice I can share is to do your homework and seek out expert advice on ways to better manage risk. There are many great resources, such as the PCI-DSS guidelines, that you can tailor to fit your particular business needs.