PCI Compliance War Stories
I was with a friend the other day at a bar and he offered to pay for the round. This was a monumental moment as he has long pockets and short arms (meaning he doesn’t normally pay for anything!).
It was at the point of paying that he said to the barman “I’ll pay contactless…” (Nothing new there). But then he simply tapped his finger against the payment machine. The machine went blink! And so did I.
“What WAS that?” I exclaimed.
“Oh this… it’s a Smart Ring. Yeah. Got it for Christmas. Don’t need cards anymore.”
“Wow! Tell me how it works.”
What followed was a bit of a Geek fest focused on Smart tech, mixed with a nostalgic discussion of devices we no longer see/use (Are there any ‘Laserdiscs’ anymore?). But it got us thinking about the evolution of technology and technology that is replacing standard things, like Credit/Debit cards. Will these vanish from our wallets in the coming years? Who knows?
There are currently 164 million Credit Cards in the UK, which sounds a lot and we’ve certainly come a long way since the first credit card was created in 1950 (which was for the Diners Club in the US). Now we can pay for our goods using phones, watches and now rings.
But what hasn’t changed is the function they provide; To facilitate an exchange of money for goods/services. But it is in this changing landscape that the Payment Card Industry Data Security Standard (PCI DSS) was born, in December 2004. It is the role of the PCI DSS to set out a set of rules which organisations taking payment must adhere to. But you knew that already, right?
If you’re in business taking credit or debit card payments then you are ruled by PCI DSS. Now it is beyond this blog to discuss what PCI DSS is all about, but if you’re interested you can come along and hear me speak at the PCI London event on the 24th January. You’ll hear a lot about PCI and what you need to do to comply with the standard. It’s set to be a great event. But I’m worried that those that NEED to be there, won’t be.
I will be there recounting a few war stories we’ve picked up over the years, where organisations haven’t done the bare minimum to protect data which is clearly very sensitive (if you don’t agree that credit card details are important, please paste your credit card number in the comments section of any post on LinkedIn).
For example we’ve…
- Visited businesses where credit card details are written on sheets of paper, and left out for all to see… including those stood at the bus stop right outside the window.
- Seen a business have a significant impact on its reputation as they had hand written credit card details, thrown in a skip (which then, due to high winds ended up over ½ acre of car park).
- Bought hard drives off the internet, and recovered credit card information from the drive.
As Information Security consultants we’ve …
- Audited companies who do not have up to date Malware protection
- Don’t have properly configured Firewalls
- Don’t have Information Security Policies in place.
All the above is enough to bring out your average PCI QSA into a cold sweat. But this is OUR experience. You’ve probably got your stories too. I’d love to hear them.
But where is all this heading? How will PCI DSS evolve? Will it keep pace with the technology that is changing every day? I hope so. Because it needs to. Our technology is evolving. Our standards are evolving. But is our thinking evolving too? Because it needs to.
One ring to rule them all.
One ring to debit them.
One ring to fine them all,
and in the darkness … scam them!
See you at PCI London, on 24th January 2019 Gary Hibberd will be speaking at the PCI London conference in London,
Topic - PCI Compliance War Stories
- V for Vulnerability – How do you know where you are most vulnerable? It might not be where you think
- We can do IT – Why IT is important, but not the whole story in your PCI DSS armoury
- Keep Calm and Carry on – How to respond effectively when bad things happen
- Loose lips, sink chips – What Policies should look like to improve security
- Your Company Needs You – Importance of engaging with the whole organisation to protect you.
Agenci Information Security is responsible for protecting businesses from cyber threats, cyber-attack, internal threats and business outages. Agenci Information Security ensures clients systems are secure and provide peace of mind through a range of proven specialist information security solutions.
Please contact us here to speak to a member of our team