Wednesday, November 29, 2023
LetsAskBinu.com
  • Home
  • Cybersecurity
  • Cyber Threats
  • Hacking
  • Protection
  • Networking
  • Malware
  • Fintech
  • Internet Of Things
No Result
View All Result
LetsAskBinu.com
No Result
View All Result
Home Cybersecurity

14 best practices for your business

Researcher by Researcher
November 24, 2022
in Cybersecurity
0
14 best practices for your business
189
SHARES
1.5k
VIEWS
Share on FacebookShare on Twitter


Close up of Visa credit card on a laptop.
Image: CardMapr.nl/Unsplash

I’ve worked in the payments industry as a system administrator for more than 15 years and spent much of my career working with Payment Card Industry compliance, which pertains to security requirements involving companies which handle credit card data.

SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)

PCI compliance is a very complex field with guidelines under which organizations in this industry are required to adhere in order to be permitted to handle payments processing.

What is PCI compliance?

PCI compliance is a structure based on requirements mandated by the Payment Card Industry Security Standards Council to ensure that all companies that process, store or transmit credit card information maintain a secure operating environment to protect their business, customers and confidential data.

The guidelines, known as the Payment Card Industry Data Security Standard, came about on Sept. 7, 2006 and directly involve all the major credit card companies.

The PCI SSC was created by Visa, MasterCard, American Express, Discover and Japan Credit Bureau to administer and manage the PCI DSS. Companies which adhere to the PCI DSS are confirmed PCI compliance and thus trustworthy to conduct business with.

Must-read security coverage

All merchants that process over 1 million or 6 million payment card transactions every year, and service providers retaining, transmitting or processing over 300,000 card transactions every year, must be audited for PCI DSS compliance. The scope of this article is intended for companies subject to this annual auditing.

It’s worth noting that PCI compliance doesn’t guarantee against data breaches any more than a home compliant with fire regulations is fully safe against a fire. It simply means that company operations are certified compliant with strict security standards giving these organizations the best possible protection against threats to produce the highest level of confidence amongst their customer base as well as regulatory requirements.

Failure to comply with PCI requirements can result in hefty financial penalties from $5K to $100K per month. Businesses that are in compliance which do face data breaches can face significantly reduced fines in the aftermath.

14 best PCI practices for your business

1. Know your cardholder data environment and document everything you can

There can be no surprises when it comes to enacting PCI compliance; all systems, networks and resources must be thoroughly analyzed and documented. The last thing you want is an unknown server operating somewhere or a series of mysterious accounts.

2. Be proactive in your approach and implement security policies across the board

It’s a huge mistake to approach PCI compliance security as something to be “tacked on” or applied as needed where requested. The concepts should be baked into the entire environment by default. Elements such as requiring multi-factor authentication to production environments, utilizing https instead of http and ssh instead of telnet, and mandating periodic password changes should be applied in advance. The more security-minded your organization is, the less work will need to be done after audit time has completed.

3. Conduct employee background checks on employees handling cardholder data

All potential employees should be thoroughly vetted including background checks for those who will work with cardholder data, whether directly or in an administrative or support position. Any applicant with a serious charge on their record should be rejected for employment, particularly if it involves financial crimes or identity theft.

4. Implement a centralized cybersecurity authority

For best PCI compliance, you need a centralized body to serve as the decision-making authority for all implementation, management and remediation efforts. This is typically the IT and/or cybersecurity departments, which should be staffed by employees trained in this field and knowledgeable of PCI requirements.

5. Implement strong security environmental controls

Across the board, you should use strong security controls in every element possible which handles cardholder data systems. Use firewalls, NAT, segmented subnets, anti-malware software, complex passwords (do not use default system passwords), encryption and tokenization to protect cardholder data.

As an added tip, use as limited a scope as possible for cardholder data systems, dedicated networks and resources so you minimize the amount of effort involved with securing as minimal a set of resources as possible.

For instance, do not let development accounts have access into production (or vice versa), as now the development environment is considered in scope and subject to heightened security.

6. Implement least privilege needed access

Use dedicated user accounts when performing administrative work on cardholder systems, not root or domain administrator accounts. Make sure only the bare minimum of access is granted to users, even those in administrator roles. Where possible, have them rely on “user level accounts” and separate “privileged accounts” which are only used to perform elevated privilege level tasks.

7. Implement logging, monitoring and alerting

All systems should rely on logging operational and access data to a centralized location. This logging should be comprehensive yet not overwhelming, and a monitoring and alerting process should be put in place to notify appropriate personnel of verified or potentially suspicious activity.

Alert examples include too many failed logins, locked accounts, a person logging into a host directly as root or administrator, root or administrator password changes, unusually high amounts of network traffic and anything else which might constitute a potential or incipient data breach.

8. Implement software update and patching mechanisms

Thanks to Step 1, you know which operating systems, applications and tools are running in your cardholder data. Make sure these are routinely updated, especially when critical vulnerabilities appear. IT and cybersecurity should be subscribed to vendor alerts in order to receive notifications of these vulnerabilities and obtain details on patch applications.

9. Implement standard system and application configurations

Every system built in a cardholder environment, as well as the applications running on it, should be part of a standard build, such as from a live template. There should be as few disparities and discrepancies between systems as possible, especially redundant or clustered systems. That live template should be routinely patched and maintained in order to ensure new systems produced from it are fully secure and ready for deployment.

10. Implement a terminated privileged employee checklist

Too many organizations don’t keep proper track of employee departures, especially when there are disparate departments and environments. The HR department must be tasked with notifying all application and environment owners of employee departures so their access can be thoroughly removed.

An across-the-board checklist of all systems and environments employees handling credit card data should be compiled and maintained by the IT and/or cybersecurity departments, and all steps should be followed to ensure 100% access removal.

Do not delete accounts; disable them instead, as proof of disabled accounts is often required by PCI auditors.

For more guidance on how to onboard or offboard employees, the experts at TechRepublic Premium have put together a convenient checklist to get you started.

11. Implement secure data destruction methodologies

When cardholder data is removed, per requirements, there must be a secure data destruction method involved. It may entail software or hardware based processes such as file deletion or disk/tape destruction. Often, the destruction of physical media will require evidence to confirm this has been done properly and witnessed.

12. Conduct penetration testing

Arrange for in-house or external penetration tests in order to check your environment and confirm everything is sufficiently secure. You would much rather find any issues which you can correct independently before a PCI auditor does so.

13. Educate your user base

Comprehensive user training is essential in order to maintain secure operations. Train users on how to securely access and/or handle cardholder data, how to recognize security threats such as phishing scams or social engineering, how to secure their workstations and mobile devices, how to use multi-factor authentication, how to detect anomalies, and most of all, whom to contact to report any suspected or confirmed security breaches.

14. Be prepared to work with auditors

Now we come to audit time, where you will meet with an individual or team whose goal it is to analyze your organization’s PCI compliance. Don’t be nervous or apprehensive; these folks are here to help, not spy on you. Give them everything they ask for and only what they ask — be honest but minimal. You’re not hiding anything; you’re only delivering the information and responses that sufficiently meet their needs.

Additionally, hold onto evidence such as screenshots of settings, system vulnerability reports and user lists, as those might come in handy to submit in future auditing endeavors. Address all of their recommendations for remediations and changes as quickly as possible, and prepare to submit evidence that this work has been completed.

Thoroughly vet out any proposed changes to ensure these will not negatively impact your operational environment. For instance, I have seen scenarios where TLS 1.0 was requested to be removed in favor of newer TLS versions, but applying this recommendation would have broken connectivity from legacy systems and caused an outage. Those systems had to be updated first in order to comply with requirements.



Source link

Related articles

Sentra Raises $30 Million for DSPM Technology

Northern Ireland’s Top Police Officer Apologizes for ‘Industrial Scale’ Data Breach

August 13, 2023
Minimizing Risk Through Proactive Apple Device Management: Addigy

Minimizing Risk Through Proactive Apple Device Management: Addigy

August 12, 2023
Tags: businesspractices
Share76Tweet47

Related Posts

Sentra Raises $30 Million for DSPM Technology

Northern Ireland’s Top Police Officer Apologizes for ‘Industrial Scale’ Data Breach

August 13, 2023
0

Northern Ireland’s top police officer apologized Thursday for what he described as an “industrial scale” data breach in which the...

Minimizing Risk Through Proactive Apple Device Management: Addigy

Minimizing Risk Through Proactive Apple Device Management: Addigy

August 12, 2023
0

Enterprise IT teams are struggling to cope with three major forces of change: the evolving regulatory environment, a globally dispersed...

Decipher Podcast: Katelyn Bowden and TC Johnson

Decipher Podcast: Katelyn Bowden and TC Johnson

August 12, 2023
0

Veilid main site: https://veilid.com/ Cult of the Dead Cow site: https://cultdeadcow.com/ Source link

In Other News: Government Use of Spyware, New Industrial Security Tools, Japan Router Hack 

In Other News: macOS Security Reports, Keyboard Spying, VPN Vulnerabilities

August 12, 2023
0

SecurityWeek is publishing a weekly cybersecurity roundup that provides a concise compilation of noteworthy stories that might have slipped under...

Used Correctly, Generative AI is a Boon for Cybersecurity

Used Correctly, Generative AI is a Boon for Cybersecurity

August 12, 2023
0

Adobe stock, by Busra At the Black Hat kickoff keynote on Wednesday, Jeff Moss (AKA Dark Tangent), the founder of...

Load More
  • Trending
  • Comments
  • Latest
This Week in Fintech: TFT Bi-Weekly News Roundup 08/02

This Week in Fintech: TFT Bi-Weekly News Roundup 15/03

March 15, 2022
Supply chain efficiency starts with securing port operations

Supply chain efficiency starts with securing port operations

March 15, 2022
Microsoft to Block Macros by Default in Office Apps

Qakbot Email Thread Hijacking Attacks Drop Multiple Payloads

March 15, 2022
QNAP Escalation Vulnerability Let Attackers Gain Administrator Privileges

QNAP Escalation Vulnerability Let Attackers Gain Administrator Privileges

March 15, 2022
Beware! Facebook accounts being hijacked via Messenger prize phishing chats

Beware! Facebook accounts being hijacked via Messenger prize phishing chats

0
Shoulder surfing: Watch out for eagle‑eyed snoopers peeking at your phone

Shoulder surfing: Watch out for eagle‑eyed snoopers peeking at your phone

0
Remote work causing security issues for system and IT administrators

Remote work causing security issues for system and IT administrators

0
Elementor WordPress plugin has a gaping security hole – update now – Naked Security

Elementor WordPress plugin has a gaping security hole – update now – Naked Security

0
ID Theft Service Resold Access to USInfoSearch Data – Krebs on Security

ID Theft Service Resold Access to USInfoSearch Data – Krebs on Security

November 28, 2023
Staying safe when shopping online this holiday season

Staying safe when shopping online this holiday season

November 28, 2023
This Week in Fintech: TFT Bi-Weekly News Roundup 08/02

This Week in Fintech: TFT Bi-Weekly News Roundup 28/11

November 28, 2023
North Korean Hackers Exploiting Zero-day Vulnerabilities

North Korean Hackers Exploiting Zero-day Vulnerabilities

November 28, 2023

Recent Posts

ID Theft Service Resold Access to USInfoSearch Data – Krebs on Security

ID Theft Service Resold Access to USInfoSearch Data – Krebs on Security

November 28, 2023
Staying safe when shopping online this holiday season

Staying safe when shopping online this holiday season

November 28, 2023
This Week in Fintech: TFT Bi-Weekly News Roundup 08/02

This Week in Fintech: TFT Bi-Weekly News Roundup 28/11

November 28, 2023

Categories

  • Cyber Threats
  • Cybersecurity
  • Fintech
  • Hacking
  • Internet Of Things
  • LetsAskBinuBlogs
  • Malware
  • Networking
  • Protection

Tags

Access attack Attacks banking BiWeekly bug Cisco cloud code critical Cyber Cybersecurity Data Digital exploited financial Fintech Flaw flaws Google Group Hackers Krebs Latest launches malware Microsoft million Network News open patches platform Ransomware RoundUp security Software Stories TFT Threat Top vulnerabilities vulnerability warns Week

© 2022 Lets Ask Binu All Rights Reserved

No Result
View All Result
  • Home
  • Cybersecurity
  • Cyber Threats
  • Hacking
  • Protection
  • Networking
  • Malware
  • Fintech
  • Internet Of Things

© 2022 Lets Ask Binu All Rights Reserved