Retail commerce is the backbone of our economy so it should come as no surprise that cyberthreats are often directed to payment systems and payment solution providers. This brings us to a discussion on the PCI Standard which is mandated by the card brands but administered by the Payment Card Industry Security Standards Council. The standard was created to increase controls around cardholder data to reduce credit card fraud so assessing compliance and potential vulnerabilities has become a defacto requirement.
Why Payment Solutions Security assessments
At the risk of being redundant with a previous blog on Health Insurance assessment requirements, the short answer to this very important question is that it is “the law”; specifically, a US government regulation requires this. According to CSO Online:
“PCI DSS is a cybersecurity standard backed by all the major credit card and payment processing companies that aims to keep credit and debit card numbers safe. PCI DSS stands for Payment Card Industry Data Security Standard. The standard, which is administered by the Payment Card Industry Security Standards Council, establishes cybersecurity controls and business practices that any company that accepts credit card payments must implement. Companies can demonstrate that they've implemented the standard by meeting the reporting requirements laid out by the standard; those organizations that fail to meet the requirements, or who are found to be in violation of the standard, may be fined.”
The article goes on to state:
“PCI DSS compliance became mandatory with the rollout of version 1.0 of the standard on December 15, 2004. (PCI DSS 3.2 is the current version of the standard, and 4.0 is in the works.) But we should pause here to talk about what we mean by "mandatory" in this context. PCI DSS is a security standard, not a law. Compliance with it is mandated by the contracts that merchants sign with the card brands (Visa, MasterCard, etc.) and with the banks that actually handle their payment processing.”
One other item should be addressed at this stage. Specifically, that this is a process not a project and should be treated as such. Meaning that best practices dictate an ongoing due diligence
A Payment solution Provider Security Assessment Case Study
nVisium engaged with a financial institution to assess a mobile payment solution and build additional security capabilities into the platform. The product is used by vendors and merchants at the Point of Sale and integrates with additional banking and loyalty products.
Upon completion of the initial assessment, nVisium analyzed the results to help build security controls to reduce the scope of PII and payment exposure across the platform. As the mobile development team integrated the solution, nVisium’s team provided ongoing support and guidance to ensure the findings and fixes were well understood and architected securely from client to backend.
Every IT Security professional should be comfortable with all aspects of a security assessment. Take a few minutes to update you understanding of the types of assessments here in a previous blog. Partnering with a trusted advisor with experience in healthcare specific requirements is a next great step on your journey to IT security protection.
nVisium empowers organizations to eliminate application and cloud security vulnerabilities before cyber threats exploit them with proven in-depth security assessments, remediation and training programs. Our experienced team of security-savvy developers and engineers guide organizations to build best practices with high ROI into their engineering and secure development lifecycles across applications, operating systems, networks, mobile, cloud and IoT through services, software solutions and R&D unique to business operations and compliance initiatives. Additionally, nVisium provides a fully managed platform for tracking and measuring performance as well as instructor-led and online training.
nVisium empowers organizations to eliminate application and cloud security vulnerabilities before cyber threats exploit them with proven in-depth security assessments, remediation and training programs. Our security-savvy team implements leading-edge assessment techniques and world-class secure development training programs to eliminate vulnerabilities for both global enterprises as well as startup organizations, so when you are ready, schedule a consultation today or download our new eBook titled “Demystifying DevSecOps” to get started yourself.