Think about how many times each day you pull a credit or debit card out of your wallet to pay for gas, groceries, a cup of coffee, or a new pair of shoes. Now, think about how many times each week you make online purchases. If you’re a frequent shopper on a particular website, you may have saved your credit card information on the website.
These behaviours are pretty common and illustrate the point that credit card data is everywhere … on company networks anywhere around the world … right this very minute. And hackers are working diligently to get their hands on that data.
Over the past few years there have been several news stories about major retailer data breaches, which became a huge wake-up call for company executives. The companies who were targeted had to spend millions of dollars replacing customers’ store credit cards. For some, stock prices took a nosedive and the company also had to deal with the very public fallout from both a PR perspective, and even more importantly, the loss of customer trust.
You may think that your company isn’t at risk of a credit card data breach for a variety of reasons, but the reality is, any company that uses credit or debit card transactions is at risk for a data security breach.
What steps can your company take to protect your customer payment card data?
Don’t assume that because your company is PCI compliant, you’re safe from a databreach.
PCI compliance is the baseline for payment card data protection; no matter the size of your organization, it should be a top priority to avoid the costly liabilities and reputational damages associated with a data breach.
First, ensure that your organization is compliant with payment card industry (PCI) standards for data security. The PCI Security Standards Council has outlined very specific regulations and best practices to help businesses store, process, transmit, and protect consumer credit card data. Large organizations may have an entire department devoted to PCI compliance with regular data audits, network monitoring and testing programs, IT security policies, and vulnerability plans. Smaller organizations may not have a team of people specifically overseeing PCI compliance, but it should still be a top priority to avoid damaging and costly liabilities.
Here are a few questions to think about as you determine if your company is PCI compliant:
- Are you tracking and monitoring all access to your network resources that are connected to cardholder data?
- Have you created a PCI zone?
- Have you identified and implemented specific controls to ensure the security of your systems?
- Do you regularly test your network security systems?
- Do you have a plan to conduct internal PCI data audits?
Second, don’t assume that because your company is PCI compliant, you’re safe from a data breach. PCI compliance should be your baseline for credit card data protection, but it doesn’t cover all potential security issues. To truly become secure, you should examine your network to find vulnerability gaps, and you should take steps to fill any gaps to make sure it’s as secure as possible. These questions are often overlooked when performing a data security gap analysis:
- Are you maintaining DNS and DHCP logs as part of your PCI compliance program?
- Do the logs provide sufficient audit details, such as time and date stamps?
- How and where are you storing these logs?
- Is your stored DNS and DHCP data encrypted?
- Do you have a process for reviewing the security logs to look for abnormal patterns or behaviors?
If you need help ensuring that your network is PCI compliant or if you want to boost your network security beyond the regulations of PCI compliance, BlueCat can help you. We offer robust threat protection solutions, such as:
BlueCat IPAM, which gives you complete visibility and control over your IP address management data by tracking the movement of devices and network resources, as well as the discovery of unknown devices.
BlueCat DNS Security™, which provides visibility into every device on your network to help spot inappropriate behavior before it becomes a major data breach.
PCI compliance is the baseline for payment card data protection; no matter the size of your organization, it should be a top priority to avoid the costly liabilities and reputational damages associated with a data breach. Moreover, your company should continuously strive to find and fill vulnerability gaps in order to keep your network secure.
 LEGAL DISCLAIMER: The information contained in this post is provided as-is and for general purposes of interest only. This post does not contain legal advice and is only intended to provide general guidance on PCI compliance. While we have attempted to ensure that the information has been obtained from reliable sources, BlueCat is not responsible for the accuracy of this information or for the results obtained from the use of this information. In no event will BlueCat, or its affiliates, be liable for any damages or losses resulting from the use of information in this post.
Critical conversations on critical infrastructure
Find out how your peers are managing their networks through profound change. Watch this series of live interactive discussions with IT pros & join the debate in Slack.
SUNBURST/Solorigate Situation Briefing
BlueCat leaders discuss how the malware attack via SolarWind’s Orion platform exploited DNS and how BlueCat Edge could have helped to detect it.
Yes, IT should see what developers do in the cloud
Errors and outages occur when admins lack visibility into DNS and IP allocation in the cloud. With Bluecat, central DDI visibility is within reach.
Customer situation brief on SUNBURST/Solorigate
Learn more about the attack via the SolarWinds Orion platform and how BlueCat products use DNS to help protect customers against compromises like it.
On the road to platform hardening, consider a STIG
Security Technical Implementation Guides standardize security configuration on networks, servers, and devices. BlueCat uses them and you can, too.