For merchants, the highest transfer volume of payment card and other sensitive and confidential information happens during the holiday season—and cybercriminals know it.
To the dismay of many, being compliant with the payment card industry’s Data Security Standard (PCI DSS) doesn’t mean you are invulnerable to breaches, and they can be massive in scale. A case in point, Hannaford Bros. was PCI compliant when up to 4.2 million credit card and debit card numbers were stolen from the grocer’s systems as disclosed after last year’s holiday season.
While being PCI compliant is certainly necessary and should be a priority for any retailer, being secure takes precedence. And this means staying up to date on the latest trends as well. The good news is that there are a few relatively simple things you can do to beef up your data security as you ready your business for the busiest period of the year – the holiday season.
Don’t save sensitive information if you don’t need it
If you haven’t already classified the sensitive data you collect and store, now’s the time to do it. Review each data type and decide if it really needs to be collected, and if so, if it needs to be stored. There’s no reason to collect, store and secure information that is no longer important to your organization. This applies to electronic data as well as hard copy data—all of it must be protected, whether through encryption, filed in a locked cabinet or destroyed by shredding.
After you cull the list of remaining sensitive data types, create a hierarchy separating it into broad categories: data everyone can see, data some people can see, and data very few people can see. If you find you don’t actually need certain types of consumer information, put a policy in place so your employees no longer ask for it.
Audit all activity
Maintain logs of who is accessing sensitive information and what they are accessing. Review the systems you’re using that have auditing capabilities and make sure auditing is turned on. Ideally, route all audit information to a central repository so that it cannot be tampered with. Security is not a one-time event; it is an ongoing program of compliance that needs to become a natural part of your day-to-day operations.
If you’re already PCI DSS compliant you know you have to pass audits annually, so security is always top of mind. If you’re also protecting personally identifiable information (PII) you are not required to go through audits to comply with industry mandates and state regulatory laws, but this doesn’t let you off the hook.
Apply the same principles and processes to PII to protect the consumer data entrusted to you vigilantly. It is important to continually monitor your company’s activities related to sensitive data, both electronic and physical, to make sure you are maintaining the level of security necessary to protect confidential consumer information throughout your enterprise and among your business partners.
Limit user access to required applications
Review what access to the network and applications each employee needs to do their job. If you find that certain employees don’t require access to some areas of the network, remove those privileges to reduce your risk. This also applies to applications that reside across the network. Limit the number of employees who have access to applications containing confidential data, such as credit card numbers. Turn off their access and put a process in place to respond quickly when users have legitimate network and application access requirements.
Re-evaluate your company’s perimeter security
Take another look at the perimeter of your enterprise for unnecessary areas of risk. Are your firewalls and other edge security applications up-do-date on software releases? Verify that all inbound and outbound firewall openings really need to be open during the holiday season. You may be able to boost your perimeter security by permanently or temporarily closing access points or limiting firewall openings. You need to exchange information with your business partners securely, so also review the security requirements of your electronic gateways periodically as well.
Create a “best security practices” guide for employees that communicates your company’s data security policies.
Be sure to include even the obvious, such as reminding employees to log out of their terminal or lock their keyboard whenever they step away from it; not throwing documents containing sensitive information into the trash can, but rather shredding them; keeping their employee badge with them all times and not laying it in a drawer at work; and not writing their passwords on a sticky note on their desk where it is accessible to others.
Consider holding employee meetings to present these best practices and handing the guide out as a reminder. It is recommended that employees take a security best practices training course when they join the company and annually thereafter. A reminder just prior to the holiday season is a great way to lower your company’s security risks.
Whether you’re PCI DSS compliant or not, your security is only as strong as it is on any given day. It’s never too late to take another look at your data security situation, especially during the holiday season when you’re collecting and protecting more payment card numbers and other consumer confidential information than any other time of the year.
Gary Palgon (firstname.lastname@example.org) is vice president of product management for nuBridges.