PCI, the guardian of payments

At the beginning of the 21st century, card brands developed their own security programs to curb the high rates of fraud that occurred in the payment card industry (Payment Card Industry). The lack of homogeneity in them resulted in distrustful users and frustrated businesses in the face of inefficient control methods. In 2006, five large companies – VISA, MasterCard, American Express, Discover Financial Services and JCB International – decided to form a council that would develop a decalogue of security rules for this type of payment. What we know today as the PCI Security Standards Council was born, the global forum that contributes to developing, disseminating and understanding payment data security standards.

In the almost 14 years that it has been in force, no merchant in compliance with PCI DSS has had their data compromised. This has been one of the most relevant conclusions presented at the twelfth European Community Meeting held in Dublin, the event I attended on behalf of Necomplus and which annually addresses the most relevant aspects of the present and future of payment security in the world. Specifically, the experts delved into the threats that lie in wait for payments, but also about the new technological solutions and the applicable regulations to combat them. This article exposes the causes that motivate security breaches in businesses, with special emphasis on those that derive from new technologies.

More payment channels vs more vulnerability

There is no doubt that new technologies are changing the rules of the game: e-commerce, cloud services, mobile payments provide new opportunities for growth, but it is no less true that these have brought with them security risks. Let’s imagine a long line of thugs trying to force the door of our house. This is precisely the scenario in the digital world, where we expose ourselves to continuous cyber attacks without knowing it. It is at this point that PCI makes sense and becomes an irreplaceable ally. What can merchants do to minimize risks? Well, although they seem obvious, comply with the basic measures described below.

Three simple tips that will help us be more protected

• First of all, something as simple as a software update. Keeping operating systems and antivirus updated shields us against attacks aimed at vulnerabilities in our environment.
• Next, another of the essential measures is to carry out an exhaustive access control. To do this, we will avoid replicating the same username and password to log in, both on different devices and applications. Only in this way will we monitor individualized access to our system. In the same way, and fully current in the payment sector thanks to PSD2, it is recommended to add a second authentication in the most sensitive systems of our company. The truth is that we have already normalized having to insert some type of code or PIN to continue a procedure.
• Lastly, it is just as important to ensure access as it is to monitor who is using it and what it is using. It should be standard practice to generate a log with details of each access, including failed attempts. Only then will we get the behavioral flow of what is happening at the heart of our system.

A security standard for present and future

PCI covers much more than these three basic protection rules. It is the standard that reduces the risk of transaction data and guarantees that merchants are not victims of compromised situations. PCI managers need to help achieve compliance in a very dynamic digital environment, which means keeping an eye on new trends. The new version 4.0 of PCI DSS is expected to be published at the end of 2020, which will be the common thread of the Council meeting in Nice. New technological and security challenges are ahead, so all those involved must be an active part of this community, whose objective is to achieve the safest possible scenario.

Abstract vector created by katemangostar – www.freepik.es