Credit card data theft is at a monumental high, wreaking havoc not just on credit card companies and consumers, but the businesses and organizations that accept credit cards. It’s not hard to understand why. Personal Identifiable Information (PII) and Payment Card Information (PCI), even if just in storage, can leak, especially when data is activated, run through apps and processed, making it even more vulnerable. The Insurance Information Institute reports:

  • According to 2018 Identity Fraud: Fraud Enters a New Era of Complexity from Javelin Strategy & Research, in 2017, there were 16.7 million victims of identity fraud, a record high that followed a previous record the year before.
  • Of the 2.7 million identity theft and fraud reports received in 2017, 1.1 million were fraud-related, costing consumers almost $905 million.
  • The median amount consumers paid in these cases was $429.
  • Within the fraud category, imposter scams were the most reported and ranked first among the top 10 fraud categories identified by the FTC. They accounted for $328 million in losses.
  • In 2017, 14 percent of all complaints were related to identity theft. Identity theft complaints were the third most reported to the FTC and had increased almost 70 percent from 2013 to 2015 but fell about 24 percent from 2015 to 2017.
  • Credit card fraud was the most reported incident to the Consumer Sentinel Network, with 133,000 reports.

While cybersecurity is a shared responsibility, the onus lies heavily on the company accepting credit card payments to ensure the safety of the consumer’s information. Hence, the Payment Card Industry Data Security Standard (PCI DSS) applies to any organization that accepts credit cards. Fail to meet the standards as a business and you could be looking at hefty fines, reputation disaster and liability. McAfee reports that, “In the case of Target, a major breach of cardholder data damaged the company’s reputation so badly with consumers that its profit dropped 46 percent, resulting in the company‘s CIO and CEO resigning.”

It is important to understand that PCI DSS is not a government regulation. However, Visa, MasterCard, and American Express, among others, require compliance.

The PCI standard is divided into 12 requirements, each of which contains detailed sub requirements.

McAfee says, “All companies handling payment card information need to be PCI compliant, but companies with more than 20,000 transactions per year must also get third party validation of compliance. In this case, your company needs to hire Qualified Security Assessors (QSAs) and Approved Scanning Vendors (ASVs) to perform validation.”

CASBs help companies comply with PCI DSS

Enter your cloud access security broker (CASB). According to Gartner, a CASB can “enable organizations to track user behavior, apply consistent security policies across multiple applications and enforce policies (e.g., session termination) in the event applications are misused.” CASB vendors are called upon to handle risks, regulatory compliance and security policies.

McAfee says a CASB may monitor user activity across desktop and mobile devices. It may provide integration with other solutions, too, such as data loss prevention (DLP), user and entity behavior analytics (UEBA), authentication and single sign-on, threat intelligence, encryption, web security, application firewalls, email providers, and more.

A CASB can provide services like encryption, tokenization, data loss prevention, and access controls. To get the right services, though, you need to know how your data—and that of your clients—is being stored and used. While it does not endorse vendors, Gartner evaluates the top thirteen CASB vendors based on what they describe as the ability to execute and completeness of vision.

Don’t wait for a breach. You should be able to answer the following, at a minimum:

  • Where and how is my data being stored and used?
  • What is happening to my client’s data when I use X app?
  • What do I need to do to be PCI DSS compliant?
  • How much is my company at risk for a data breach?
  • Where do I begin? Or, am I doing enough?

If you are mired in doubt, don’t wait to get the answers you need. We have the consultants, analysts, engineers and partners to ensure you are in compliance, protecting data to the extent it should be. Reach out to an ECS expert today

About ECS

ECS, a segment of ASGN, delivers advanced solutions and services in cloud, cybersecurity, artificial intelligence (AI), machine learning (ML), application and IT modernization, and science and engineering. The company solves critical, complex challenges for customers across the U.S. public sector, defense, intelligence, and commercial industries. ECS maintains partnerships with leading cloud, cybersecurity, and AI/ML providers and holds specialized certifications in their technologies. Headquartered in Fairfax, Virginia, ECS has more than 2,400 employees throughout the U.S. and has been recognized as a Top Workplace by The Washington Post for five years in a row.

WE'RE HIRING