Breach, Threat Management, Data Security, Encryption, Incident Response, TDR

Enterprises need a culture of cybersecurity, says PCI Security Standards Council

Building a culture of cybersecurity within enterprises is essential in today's fast-paced world of online transactions, according to a blog post on the website of the PCI Security Standards Council.

"As long as there's money to be made, we can expect criminals to continue their attacks on businesses worldwide," wrote Lindsay Goodspeed, a communications specialist for the organization that develops and maintains security standards for account data protection.

With cybercrime ringing up charges of nearly $3 trillion a year, it's imperative for organizations both big and small to prioritize security at every level, particularly those businesses which handle cardholder data, she said.

Pointing out that cybercriminals go after low-hanging fruit – anything from static passwords, software that has not been updated or phishing scams – workers need to be educated in security basics. That pertains not just to those who handle cardholder data, but to everyone in the organization, she said.

It's a constant battle against an adversary who is not taking any time off. It is therefore vital that everyone involved in security processes at your organization be alert at all times, Goodspeed said. "Prioritize your efforts to reduce risk and increase security, every day, year-round, not just at assessment time."  

Technology is the way to achieve these goals, she added, as today's solutions can render data worthless to miscreants attempting to siphon off account data to subsequently sell on the criminal marketplace. A combination of EMV chip technology, tokenization and point-to-point encryption are the tried-and-true methods to defend your systems. If these strategies are in place, she wrote, even should an incursion penetrate your networks, the data will be in a form worthless to the cyber pirates.

"The importance of creating a culture of cybersecurity cannot be understated, which is why the latest version of the Data Security Standards requires that organizations establish responsibility for the protection of cardholder data and the PCI DSS compliance program at the executive management level," said Goodspeed. "A layered approach to security will better protect your customer's cardholder data."

The timeliness of this message could not be more pertinent coming as it does on the heels of new legislation proposed for the European Union which would put in place regulatory fines in the case of data breaches of up to four percent of global turnover. This tally could max out to as much as £18 million pounds ($22 million) for an organization hit by a breach. With the imposition of new fines, the tally would increase from £1.4 billion ($1.7 billion) last year to £122 billion ($148.5 billion), the PCI reported.

"The new EU legislation will be an absolute game-changer for both large organizations and SMEs," Jeremy King, international director of the PCI Security Standards Council, said in a statement. "The regulator will be able to impose a stratospheric rise in penalties for security breaches, and it remains to be seen whether businesses facing these fines will be able to shoulder the costs."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.