Personally identifiable financial information (PIFI) is speeding through cyberhighways every second of the day...
in massive quantities. As soon as customers swipe their credit cards or enter their information online, that data is out there, and vulnerable to a breach. Enter regulations like the Payment Card Industry Data Security Standard (PCI DSS), established to protect sensitive customer information from increasingly sophisticated cyberthreats.
Participants in SearchCompliance's recent #GRCChat agreed that, while a solid foundation, PCI DSS regulations alone aren't enough to ensure payment card security, as evidenced by the recent string of high-profile retail data breaches. And with the mounting presence of mobile payment tools like Apple Pay, mobile payment security is getting even more complicated -- see CurrentC's recent hack.
Here, editors and fellow tweeters discuss the challenges that accompany mobile payment applications and how to appropriately augment PCI DSS compliance regulations.
How can companies build on PCI DSS processes to protect customer data and assess vulnerabilities?
Commanding your enterprise's strategy around payment card information means going above and beyond the minimum PCI DSS regulations. It requires constant vigilance and implementation of information security best practices:
A4 constant checking/monitoring of their security systems, regardless of how up to date, can't hurt #grcchat— Fran Sales (@Fran_S_TT) October 16, 2014
Security strategies should be applied mindfully, one participant noted; customer convenience is everything, and layering on multiple -- and, in some cases, duplicative -- security measures may push customers away, negating any potential gain from heightened protection.
Another participant pointed to the necessity of treating PIFI more carefully than other organizational data:
A prob with many systems: ecommerce architects treat PII as "just more data". One academic proposes treating PII as "toxic" #grcchat— knowlengr (@knowlengr) October 16, 2014
How will mobile payment tools complicate PCI DSS and customer data protection efforts?
When it comes to mobile payment applications, it can be a case of convenience vs. compliance. Participants were quick to point out some compliance pros and cons when payment technologies go mobile, the risk of third-party services, and the potential for unforeseen security holes:
A5 Some claim Apple Pay will help merchants with PCI compliance/security: Removes some data security responsibility from them #GRCchat— Ben Cole (@BenjaminCole11) October 16, 2014
A5 Apple pay also has two factor authentication and tokenization- still not infallible but good start to ensure security #GRCchat— Ben Cole (@BenjaminCole11) October 16, 2014
A5 When 3rd\4th\5th party enters the equation, risk increases. What risks are you bringing to the table that I can't control? #grcchat— Matt (@Matt_ITSecurity) October 16, 2014
Tokenization, the process of replacing sensitive data with unique identification symbols, is one of Apple Pay's highlighted features, but it's not an end-all-be-all for security. As participants discussed, other methods, like audits and penetration testing, can also help remove some of the unknowns in mobile payment:
A5 Newer platforms like Apple Pay need to be thought of as fresh attack vectors needing pen testing. Can PCIDSS help there? #grcchat— knowlengr (@knowlengr) October 16, 2014
Do you think new mobile payment applications are opening up a whole new world of PCI DSS compliance challenges? Let us know in the comments below.
For more on PCI DSS regulations, see our first recap from this chat. Then head over to SearchSecurity to learn more about the challenges of mobile payment applications and ongoing mobile security concerns.