It’s hard to ignore the fact that data security breaches seem to be increasing in frequency and severity, particularly those involving credit and debit card data. Just ask Home Depot, Michaels Stores, Neiman Marcus, or their 50+ million customers whose payment card data may have been compromised in 2014. To reduce the chances of making the list in 2015, preventative measures must be taken by every business that accepts credit and debit card payments.
The PCI Security Standards Council developed the Payment Card Industry Data Security Standard (PCI DSS) to encourage and enhance cardholder data security. This standard includes 12 requirements.
Build and Maintain a Secure Network and Systems
- Install and maintain a firewall to protect cardholder data.
- Do not use defaults for system passwords or security parameters.
Protect Cardholder Data
- Protect stored cardholder data.
- Encrypt transmission of cardholder data.
Maintain a Vulnerability Management Program
- Protect systems against malware and regularly update anti-virus software.
- Develop and maintain secure systems and applications.
Implement Strong Access Control Measures
- Restrict access to cardholder data to those who need to know.
- Identify and authenticate system access.
- Restrict physical access to cardholder data.
Regularly Monitor and Test Networks
- Track and monitor all access to networks and cardholder data.
- Regularly test security systems and processes.
Maintain an Information Security Policy
- Maintain a policy that addresses information security for all personnel.
The PCI Security Standards Council also provides a number of tips and strategies to increase the security of payment card data, such as:
- Never store Sensitive Authentication Data, such as the full track contents on the magnetic stripe or chip, card verification codes/values, or PINs.
- Ask point-of-sale vendors about the security of payment card systems.
- Do not store cardholder data that is not needed.
- Consolidate and isolate cardholder data that is needed.
The Council notes that the PCI DSS provides minimum security requirements that may be enhanced by additional controls and practices. Various laws, rules or regulations may also require enhanced security measurers. For example, under the Fair and Accurate Credit Transaction Act (FACTA), electronically printed credit and debit card receipts given to customers cannot include a card’s expiration date or more than the last five digits of the card number.
Sometimes security measures aren’t enough to prevent a data security breach, so businesses should use insurance to manage their cyber risks. There are a number of cyber liability products that protect against privacy injuries, such as identity theft, and that cover the cost of complying with various data breach notice laws. However, given the complexity of the risk, an experienced insurance agent should be consulted to ensure that adequate coverage is obtained.
A solid understanding of your insurance needs is the key to overcoming the quality versus cost argument. An experienced and reputable independent insurance agent can help you purchase insurance that is both economical and effective.
If you would like to learn more about insuring against cyber risks, contact us.
If you would like to subscribe to our newsletters please click here.