Last week a security report went out that highlighted the industries that were most commonly targeted for attackers. An article from SCMagazine explains that the retail industry made up forty five percent of the investigations conducted that had experienced a data breach. E-commerce transactions were noted as being especially troublesome. This was followed closely by the food-service industry.
The logic behind these industries having so much security trouble isn’t particularly hard to follow: they’re easy to hit and can allow for a huge payout for attackers. The sheer volume of credit card numbers being used on e-commerce websites is staggering, and growing more day by day. On top of that, many companies are found to have inadequate safeguards in place to keep the data secure.
So, what is an e-commerce merchant to do? Well, for starters, if you’re transmitting, storing, or processing cardholder data, you need to be PCI compliant. Within these standards is the use of a WAF in front of public facing web applications, file-integrity monitoring to keep from information being tampered with, and encryption across open, public networks to ensure the safety of customer card data. This is just the tip of the compliance iceberg- there are hundreds of sub-requirements that need to be addressed. With so many guidelines to parse through, it can sometimes be confusing to merchants, making one of the most convenient (and often times cost-effective) options to outsource their hosting to a provider.
Outsourcing to a hosting provider does not necessarily come without concerns. Not every vendor is the same. Putting blind trust in a hosting provider without doing the due diligence to ensure that the provider and their solutions are compliant, could mean the loss of your card processing, and steep fines. Getting the hosting provider’s Report on Compliance (ROC) pulls back the curtain to help you understand exactly what’s going to be happening to your data, and whether or not it’s safe. This transparency also helps establish a trust you’ll need to have in your hosting provider in order to have an effective partnership on the road to compliance.
More PCI Reading:
Tackling PCI Compliance Challanges in the Cloud
In addition to defining PCI cloud hosting providers’ roles and responsibilities when it comes to achieving compliance in conjunction with clients/merchants, the recently released PCI DSS Cloud Computing Guidelines from the PCI Security Standards Council, also covers a few examples of compliance challenges that may arise.
Understanding Big PCI Pitfalls
PCI DSS (Payment Card Industry Data Security Standards) compliance is important to any company processing, storing, or transmitting cardholder data. However, its 12 security requirements are complex (each requirement is broken down into many different sub-categories so that at the end of the day there’s over 200 points to consider) and technical, causing many companies to stumble when working towards compliance.