Wireless compliance: adhering to the PCI DSS

January 2023  |  FEATURE | BANKING & FINANCE

Financier Worldwide Magazine

January 2023 Issue

The advent of the internet of things (IoT) has seen a digital transformation across the global business community, with companies increasingly using wirelessly connected devices to enhance their ability to collect and gather information, as well as conduct transactions.

Moreover, as hardware devices such as sensors, gadgets, appliances and other machines that collect and exchange data over the internet continue to proliferate, their use and deployment is increasingly crossing over into the realm of account-based payments.

“IoT devices are being deployed within a business environment where payments are processed, as well as more directly where an IoT device is used to accept, perform or authorise payments on behalf of a user,” states the Payment Card Industry Security Standards Council (PCI SSC). “In all cases, when considering a deployment of IoT devices, the security of IoT devices and payment data needs to be considered throughout the device lifecycle.”

Essentially, facilitating the security of IoT devices requires companies to comply with Payment Card Industry Data Security Standards (PCI DSS) – a set of requirements intended to ensure that all companies that process, store or transmit credit card information maintain a secure environment.

Launched in 2006 by four major credit-card companies – Visa, MasterCard, Discover and American Express – the PCI DSS aims to enhance payment card data security, with the PCI SSC providing comprehensive standards and supporting materials, including specification frameworks, tools, measurements and support resources to help companies ensure the security of cardholder information.

As outlined in its ‘IoT Security in Payment Environments’ report, the PCI SCC advises that companies should ask themselves the following key questions. Are the devices designed with security in mind? Are the devices deployed securely? Can the devices be maintained securely until decommissioning? And is there a decommission plan for the devices?

“As with all security, IoT security is constantly evolving; new threats emerge, and new vulnerabilities are discovered,” observes the PCI SSC. “To protect networks from the risk of insecure IoT systems, companies should choose secure devices and deploy and securely maintain those devices until they are decommissioned.”

The road to compliance

At first glance, complying with the PCI DSS seems like a daunting task. However, compliance brings significant benefits for companies, particularly when considering that non-compliance may result in serious and long-term consequences.

“The maze of standards and issues seems like a lot to handle for large organisations, let alone smaller companies,” acknowledges Juliana de Groot, senior marketing operations specialist at Digital Guardian. “Yet, compliance is becoming more important and may not be as troublesome as a company may assume, especially if it has the right tools.”

According to Digital Guardian, adhering to the recommendations listed below can help companies go a long way toward ensuring compliance with the PCI DSS.

First, use and maintain firewalls. Firewalls essentially block foreign or unknown entities attempting to access private data. These prevention systems are often the first line of defence against hackers, malicious or otherwise.

Second, implement proper password protections. Routers, modems, point-of-sale (POS) systems and other third-party products often come with generic passwords and security measures easily accessed by the public. Too often, businesses fail to secure these vulnerabilities.

Third, protect cardholder data. Card data must be encrypted with certain algorithms. These encryptions are put into place with encryption keys – which are also required to be encrypted for compliance.

Fourth, use and maintain antivirus. Antivirus software should be regularly patched and updated. A POS provider can employ antivirus measures where they cannot be directly installed.

Fifth, restrict data access. Cardholder data is required to be strictly ‘need to know’. All staff, executives and third parties who do not need access to this data should not have it.

Sixth, create unique identifications for access. Individuals with access to cardholder data should have individual credentials and identification for access. Unique IDs create less vulnerability and a quicker response time in the event data is compromised.

Seventh, create and maintain access logs. All activity dealing with cardholder data and primary account numbers (PAN) require a log entry. Perhaps the most common non-compliance issue is a lack of proper documentation.

Lastly, scan and test for vulnerabilities. Compliance standards involve several software products, physical locations, and likely a few employees. There are many things that can malfunction, go out of date or suffer from human error.

“The PCI DSS is the cornerstone of the council, as it provides the necessary framework for developing a complete payment card data security process that encompasses prevention, detection and appropriate reaction to security incidents,” adds Ms de Groot.

Wireless evolution

Undoubtedly, companies are going through a huge digital transformation with the IoT. New connected devices bring the promise of improved efficiency, but they also increase the attack surface and increase the number of communication paths to be monitored to ensure compliance with the PCI DSS.

So, with the evolution and development of wireless technologies showing no sign of abating, companies must also stay alert to the fact that PCI compliance is ongoing – a process that aids in preventing security breaches and payment card data theft in the present and in the future.

© Financier Worldwide

BY

Fraser Tennant