By Jeff Reich, Chief Risk Officer, Layered Tech
It seems almost daily a new report emerges detailing how a company suffered a data security breach, resulting in the release of sensitive data for hundreds of people. To help guard against these attacks, companies can become PCI compliant, but it is not an easy goal to achieve and does not guarantee complete and total security. As an alternative, community clouds provided through third-party resources like Layered Tech offer security options and a path to compliance without the cost and labor issues present with in-house systems.
To better understand these issues, this blog series will explore the hazards data breaches present and how, even with its challenges, PCI compliance and added security can help protect companies. Additionally, the series will discuss how leveraging a community cloud provides companies with added benefits, such as scalable infrastructure, flexibility and availability, all in a cost-effective manner.
The real risk hackers pose
In today’s business environment, data breaches are no longer disasters that happen to other companies, nor are they an issue that only plagues large enterprises. These adverse events can affect small- and medium-sized businesses that have made the leap to computerized systems and digital records.
Hackers are becoming more sophisticated and are able to employ several different tactics to retrieve information, such as exploiting backdoors and using spyware, forcing companies to focus on every aspect of security. Instead of just looking for credit card and social security numbers or personal data, such as birthdates, hackers are increasingly stealing online banking login details. According to Verizon’s 2011 Data Breach Investigations Report, the U.S. Secret Service arrested more than 1,200 cybercrime suspects in 2010 that were connected to more than $500 million in fraud loss.
PCI compliance helps but includes challenges
All companies that accept credit card payments, either online or offline, are required to takes steps to secure customer information. One way companies can accomplish this task is to become PCI compliant, meaning that the organization meets certain criteria throughout the security process, including prevention, detection and response, as set forth by the PCI Data Security Standard (PCI DSS). These standards, developed by the Payment Card Industry Security Standards Council, provide a range of requirements based on a company’s size, its type of business and the number of credit card transactions it handles. (Want to know more about PCI DSS? See the helpful PCI DSS resources available on our website.)
The strictness of these requirements, however, can make it difficult for businesses to achieve compliance. Verizon’s Payment Card Industry Compliance Report for 2011 states that only 21 percent of the companies assessed were considered fully compliant. Additionally, even though PCI-compliant companies are safer and less likely to encounter a breach, PCI compliance does not guarantee complete security of data. Additional security measures, including but not limited to patching and system interfaces, must be taken.
Many companies leverage PCI compliant hosting and managed services from providers like Layered Tech to take advantage of its security, compliance and cloud expertise. With this approach, organizations gain all the benefits of a hosted IT infrastructure but without the headaches of owning and maintaining hardware. In addition, you can dedicate your resources to what matters most: your business and your customers. To learn more about Layered Tech’s services, please visit our website or send us an email.
In the second installment of this blog series, we will discuss PCI compliance and security in community clouds and how this environment can provide businesses with unprecedented processing power, bandwidth and storage capacity, without the burdens of capital expenses and IT staff overhead.
Image credit: Mikael Altemark
About the Author: As Chief Risk Officer at Layered Tech, Jeff Reich (@LayeredTechCRO, +Jeff Reich) drives the company’s security and compliance services and guides risk mitigation efforts for clients. With more than 30 years of experience, Reich is a well-known risk management and security expert in the industry. He holds CRISC, CISSP and CHS-III certifications and is an ISSA Distinguished Fellow.