By April, companies must be in compliance with 4.0 mandates or risk fines of up to $100,000 a month, depending on volume of transactions.
Get Instant Access to This Article
Subscribe to Worcester Business Journal and get immediate access to all of our subscriber-only content and much more.
- Critical Central Massachusetts business news updated daily.
- Immediate access to all subscriber-only content on our website.
- Bi-weekly print or digital editions of our award-winning publication.
- Special bonus issues like the WBJ Book of Lists.
- Exclusive ticket prize draws for our in-person events.
Click here to purchase a paywall bypass link for this article.
If you’re in charge of payment card data at your company, you’ve probably come across the term PCI DSS. No, it’s not some secret code; it stands for Payment Card Industry Data Security Standard. Basically, it’s a set of rules designed to keep your customers' card info safe from cyber crooks.
Here to tackle today's cyber threats head-on is the latest version of this standard called PCI DSS 4.0. But here's the catch: there's a deadline looming. By April, companies must be in compliance with 4.0 mandates or risk fines of up to $100,000 a month, depending on volume of transactions.
Keeping things simple and in plain English, below are the six essential things businesses need to implement before the deadline hits.
1. Web application firewall: Web applications can be a goldmine for hackers if not properly protected. That’s the job of a web application firewall. It acts as a shield, inspecting all traffic to block any malicious intruder targeting your web apps.
2. Anti-phishing tools: Phishing is still the oldest trick in the cybercriminal playbook. Threat actors often send scams by email in hopes of snaring victims into giving up their login credentials, financial details, or personal info.
To combat this, you need serious anti-phishing measures, which include domain-based message authentication (DMARC), sender policy framework (SPF), DomainKeys Identified Mail (DKIM) to prevent spoofing, the use of link scrubbers, and server-side anti-malware tools. PCI DSS recommends regular security awareness training to help employees identify and report phishing attacks.
3. Penetration testing: Requirement 11.4 of PCI DSS 4.0 specifies organizations must perform penetration testing at least annually and after any significant change to the network.
This includes testing from both inside and outside the business to identify vulnerabilities and ensure security of cardholder data.
4. Multi-factor authentication: Not all MFA is created equal. Make sure you have a system that can’t be tricked by replay attacks, where hackers intercept and reuse authentication messages.
5. Tougher passwords: Businesses need to encourage staff to use long and complex passwords using at least 12 alphanumeric characters. Given how the average internet user has 100 apps and online accounts, the only way to generate, store, and recall passwords is by using a commercial password manager.
6. Automated log analysis: Digging through endless logs looking for troublemakers is a job for automation. Businesses must have log analysis tools such as a security info event manager, which simply collects data from various sources to detect and respond to security threats.
The above list is not the comprehensive set of requirements. Version 4.0 puts great emphasis on periodic risk assessments.
Abiding by PCI DSS 4.0 rules may seem like a big hassle, but look on the bright side: Complying will not only prevent being fined by regulators but also make your business less vulnerable to scams and cyberattacks.
