What is PCI Compliance?

 

PCI compliance is a term that has been in the news a lot over the past couple years.  

 

But what is it?  

 

 

 

 

 

 

‘PCI Compliance’ or ‘PCI Security Compliance’ is Payment Card Industry Security Compliance.  It addresses any business that accepts credit card or debit card for payment, and is a standard that has emerged as the ‘bench test’ for whether or not your retail operations are a security risk for credit card information theft.

The rising incidence of stolen cardholder account data is a major concern for all businesses that accept payments by credit or debit card.  As a result of these thefts, merchants and financial institutions suffer fraud losses and unanticipated operational expenses, and consumers are inconvenienced significantly.  

 

What Does It Mean To Me?

If you collect or store credit card information, and if it is compromised, you may lose the ability to accept credit cards at your business, or you may face higher processing rates.  In the U.S., you may also be libel, not only for the credit card information compromised, but for non-compliance for new Security Awareness Training guidelines if your employees have had little or no security awareness training.  If you store credit or debit card information, no matter what country you are in, you are required to follow PA-DSS Compliant Applications (Payment Application – Data Security Standards)

To protect your business, your customers, and the integrity of the payment system, each of the card companies has in place a set of requirements governing the safekeeping of account information.  

• Install and maintain firewall to protect cardholder data.

• Do not use vendor-supplied default system passwords.

• Protect stored cardholder data.

• Encrypt transmission of cardholder data across network .

• Use and regularly update anti-virus software.

• Develop and maintain secure systems and applications.

• Regularly test security systems and processes.

• Maintain a policy that addresses information security.

 

There are 4 different levels of PCI Compliance, depending on the number of eCommerce and regular transactions your business does annually.

 

 

 

 

 

 

To check if you are following the compliance standards, visit the PCI Security Standards Council – the organization that manages these standards.  This is an excellent website that also allows you to perform a self-assessment.  

So that covers the legalities of the electronic safekeeping of your information.

 

But..

Being PCI Compliant Does Not Ensure Safety

To rely solely on the PCI DSS checklists to secure cardholder data is similar to a pilot relying only on the pre-flight checklist before takeoff, then colliding with another plane during takeoff.

In reality, the goal of effective security controls is to prevent security breaches from occurring, and when they do, allow quick detection and recovery.

This requires not only following a checklist, but understanding the organization’s compliance and security objectives, understanding what the top risks to achieving those objective are, having adequate situational awareness to identify where you need controls to mitigate those risks, and then implement and monitoring the correct production controls.  

 

The Human Factor 

The U.S. Department of Health and Services has stated that bad or no security awareness training is a main cause of compliance failures.  This is true not only for health care, but all industries such as banking, finance, manufacturing, and technology.

Your employees are your company’s biggest asset.  They can also be your company’s weakest link.

Trend Micro reports that 91% of successful data breaches started with a spear-phishing attack.

Make sure your employees are up-to-date in their security awareness training.

 

Don’t Know What to Look For In Suspicious Emails:  http://tbyd.ca/email-red-flags/

For all the latest virus/malware alerts go to:  http://tbyd.ca/category/alerts/

Got Bugs In Your System?

Call 1-204-800-3166

For Cyber-Extermination!

March 31st is:

 World Backup Day

 

83% of us own a computer.    89% own a mobile phone.

But only 1 in 4 people make regular backups of their data.

 

 

 

Think You’re Safe?  THINK AGAIN!

 

 

•  6% of all PCs will suffer data loss in any given year.  This equals 4.6 million PCs that suffer data loss every year.
• 60% of companies that lost their data for any amount of time, SHUT DOWN within 6 months of the loss.
• 93% of companies that lost their data for 10 days or more, filed for bankruptcy within 1 year of the loss.
  

  ---

What Is A Backup?

It’s a separate copy of your important photos and documents.

So if something happens to your computer or mobile phone, your photos and information are completely safe.

Losing Your Data Is More Common Than You Think:

• More than 60,000,000 computers will fail this year.
• More then 200,000 smartphones are lost or stolen every year.

That’s countless documents and treasured memories DESTROYED.

If something went wrong today, what would you lose forever?

 

Go To worldbackupday.com to take

The World Backup Day Pledge:

“I solemnly swear to backup my important documents and precious memories on March 31st.”

 

“I will also tell my friends and family about World Backup Day – friends don’t let friends go without a backup.”

---

9 Questions You MUST Ask Yourself When Planning a Backup Strategy*

It takes time to create and implement a backup and recovery plan.  You need to figure out what data is important and needs to be backed up, how often the data should be backed up, and more.

To help you create a plan, consider the following questions:

 

1.  How important or sensitive is the data on your systems?

The importance of data can go a long way toward helping you determine if you need to back it up – as well as when and how it should be backed up.

For critical data, such as a database, you’ll want to have redundant backup sets that extend back for several backup periods.

For sensitive data, you’ll want to ensure that backup data is physically secure or encrypted.

For less important data, such as daily user files, you won’t need such an elaborate backup plan, but you’ll need to backup the data regularly and ensure that the data can be recovered easily.

 

2.  What Type Of Information Does The Data Contain?

Data that doesn’t seem important to you, might be very important to someone else.

Thus, the type of information the data contains can help you determine if you need to backup the data – as well as when and how the data should be backed up.

 

3.  How Often Does The Data Change?

The frequency of change can affect your decision on how often the data should be backed up.

For example, data that changes daily should be backed up daily.

 

4.  Can You Supplement Backups With Shadow Copies?

Shadow copies are point-in-time copies of documents in shared folders.

These point-in-time copies make recovering documents easy, because you can easily go back to an older version in case a document is deleted or overwritten accidentally.

You should use shadow copies in addition to standard backup – not to replace backup procedures.

 

5.  How Quickly Do You Need To Recover The Data?

Time is an important factor in creating a backup plan.

For critical systems, you might need to get back online swiftly.

To do this, you might need to alter your backup plan.

 

6.  Do You Have The Equipment To Perform Backups?

You must have the backup hardware to perform backups.

To perform timely backups, you will need the proper equipment, and the proper expertise.

We recommend a minimum of 3TB external hard drive per computer, plus a separate 3TB external hard drive for each server.  However, each business is different and has its individual needs.

Call Technology by Design at 1-204-800-3166

for a free estimate.

 

7.  Who will be responsible for the backup and recovery plan?

Often, businesses opt to save money and perform the backups themselves.

However, only 20% actually do the backups correctly and on time.

Call TbyD for a free estimate on your

personalized Managed Backup and Recovery Plan.

Choose 1 person at your organization to be a primary contact for the organization’s Backup and Recovery Plan.

 

8.  What’s The Best Time To Schedule Backups?

Scheduling backups when system use is as low as possible, will speed up the backup process.

However, you can always schedule backups for off-peak hours.  Some workstations require up to hourly backups.

You need to carefully plan when key system data is backed up.

 

9.  Do You Need To Store Backups Off-Site?

Storing copies of backups off-site is essential to recovering your systems in the case of a local disaster (e.g. flood, fire, theft, etc.).

In your off-site storage location, you should also include copies of the software you might need to install to reestablish operational systems.

*Adapted from the Microsoft Press book “Microsoft Windows Server 2008 Administrator’s Pocket Consultant by William R. Stanek

---

 

 

Got Cyber-Bugs?

Call 1-204-800-3166

For Cyber-Extermination!

---

Stay Safe On Public HotSpots

 

Public Wi-Fi hotspots are everywhere.  Coffee shops, waiting rooms, highway rest stops, arenas, etc.  If there’s people sitting around, chances are, there’s free WiFi.

 

And wherever there’s free WiFi, there’s security risks.

 

Connecting your device, whether it be a laptop, tablet, or smartphone, to a public WiFi hotspot is a little bit like stepping off the curb without looking; it’s dangerous.  You could avoid connecting altogether, but that’s not an option when you’re on the road:  You need to get work done, communicate, and access the Web, and public WiFi may be the only option available.

There are undoubtedly some doubters out there who are thinking right now “I’ve been on public WiFi lots of times, and nothing bad ever happened.”  That may be true, but these days, blindly joining public WiFi hotspots is a little like playing Russian roulette.  Every day that passes, the tools that CyberCriminals use to snoop, swipe, and infect your systems get better, easier to use, and more automated.  If it only takes a few seconds for a data thief to break into your system and start wreaking havoc, then you need to spend a few minutes to make sure your defense shields are up.  And it’s easy enough that even someone that doesn’t know the hard drive from the floppy drive (Hint:  floppy drives don’t exist any more) can minimize their exposure to WiFi hotspot threats you’re likely to encounter.

1. Maintain Security Software.  This one should go without saying.  However, we run into people several times a day, that either do not have or do not have up-to-date security software.  Security software is typically pretty good at preventing unauthorized users from accessing your system, notifying you of the presence of infected files, and removing harmful link and malware.  Make sure you have antivirus, anti-malware, and firewall utilities.  Windows comes with firewall software enabled by default, but you may have to seek out third-party options for antivirus and anti-malware software.  For instructions on how to make sure your firewall is enabled in Windows7 click: HERE.  For instructions on how to make sure your firewall is enabled in Windows8 click:  HERE.  It’s also a good idea to make sure your device’s OS and other applications are up-to-date before you sign on to any public WiFi hotspot.
2. Don’t Share.  Never mind what Sesame Street taught you.  The first time you connect to any network, Windows asks if you’re connecting to a Home Network, Work Network, or Public Network.  Do yourself a favor and always select “Public Network” when connecting to a WiFi hotspot.  This ensures that your device is not visible to others using the hotspot, blocks malicious software, prevents access to the HomeGroup, and turns off network discovery.
3. Connect Manually.  Although doing so may seem tedious, make sure you’re manually connecting to hotspots every time.  Rogue hotspots hosted by CyberCriminals tend to use SSIDs (Service Set IDentifiers) that sound like they’re being hosted by a legitimate business.  You may be inside a Starbucks, but that doesn’t mean you should trust any available hotspot with the coffee shop’s name in the SSID.  Whenever possible, verify the hotspot’s SSID with an employee before signing on.
4. Choose Password-Protected SSIDs.  We know that the human instinct for immediate gratification is overwhelming.  It’s easiest to try the open networks before inquiring about a password to one of the closed ones.  But fight that urge.  Although password-protected networks aren’t inherently any safer, they can help you determine whether the network is hosted by the business, or a nearby data thief with a portable router.  
5. Practice Safe Surfing.  When you are connected to a public WiFi hotspot, avoid using e-commerce and banking sites, if possible.  If you must connect to these sites, make sure that no one else has a clear view of your device’s screen or keyboard while you enter usernames or passwords.  Also ensure that the sites on which you enter your information encrypt your data.  Remember that secured URLs begin with “https”.  When you are finished, log out of the site immediately.  

Following these easy steps for keeping your device (and information) secure, will go a long way to thwarting would-be WiFi hotspot hijackers.  Now you can connect with confidence.

 

Got Computer Bugs?

Call 1-204-800-3166

For Cyber-Extermination!