As technology becomes more advanced and sophisticated, crimes associated with fraud have increased exponentially. Many consumers have suffered as a result and have consequently become more cautious about inputting their personal data onto websites. This poses a challenge to businesses and highlights their responsibility towards ensuring they handle card payment procedures sensibly. Every merchant or payment service provider must be PCI compliant, which means adhering to the Payment Card Industry Data Security Standard (PCI DSS), the set of requirements outlined by the PCI Security Standards Council.

The requirements relevant to your specific business will depend on the number of processed transactions recorded per year. Both the administrative and technological departments within a business need to be aware of PCI compliance, and so you should work on incorporating instructions on how to comply with your company’s overall code of conduct.

Why is PCI compliance important?

Maintaining PCI compliance has many security benefits that contribute to the long-term success of all merchants who process card payments. Customers are, rightly, extremely protective over their personal information, and so they need to be able to trust businesses with their card payments. By committing to PCI compliance, organisations secure healthy and trustworthy payment card transactions for hundreds of millions of people worldwide. By adhering to the correct standards, businesses can be secure and confident that they’ll identify any threats and vulnerabilities that could impact the company quickly.

What happens if you aren’t compliant?

Technically, compliance with the standards for PCI DSS is not required by law in the UK. However, there are many financial costs associated with non-compliance, including fines set by the payment brand. These are called Card Scheme fines, which are passed to the acquirer and then to the merchant. These fines can be so great that merchants are forced to stop trading. The size of the fine will vary depending on the number of card transactions processed. It’s also important to note that data losses often involve the loss of personal data, which means breaching the Data Protection Act 1998. The Information Commissioner’s Office (ICO) has enforcement powers to impose fines of up to £500,000 for this.

As well as fines, there are many other costs associated with PCI non-compliance. For example, if you have suffered from data compromise, you are obligated to communicate with a PCI Forensic Investigator (PFI) in order to establish the source of the breach. This can cost thousands of pounds, which you will liable for if the investigator finds evidence of non-compliance. If your business fails to comply with PCI standards, you may also need to consider legal costs, fraud losses, card replacement costs and expensive forensic audits.

If your business becomes affiliated with failure to meet industry standards regarding PCI, customers will quickly lose confidence in your ability to protect their sensitive information. This results in diminished sales, as customers decide to go to more reliable merchants. It’s also important to note that businesses should take responsibility for PCI compliance out of ethical obligation, as well a means to control financial risks. You should not abuse the consumers’ trust and confidence, which means taking the necessary measures to protect their personal data. Therefore, whilst PCI compliance isn’t officially mandatory, you should regard compliance with the same level of responsibility and vigilance as you would a legal requirement.

Related Confidentiality Courses

Information security should be a top priority for all organisations. It involves protecting organisational data and optimising information systems. The purpose of information security is to prevent confidentiality breaches, data losses, inappropriate data deletion and inaccurate data production. The three fundamental bases of information security are represented in the CIA triad: confidentiality, integrity and availability. Put simply, confidentiality is limiting data access, integrity is ensuring your data is accurate, and availability is making sure it is accessible to those who need it. This triad can be used as a foundation to develop strong information security policies.
What is Confidentiality?
The principle of confidentiality involves restricting data access strictly to authorised personnel. Users have a responsibility to ensure they maintain secure access control systems, including both logical (e.g. PC passwords) and physical restrictions (e.g. ID cards). For this reason, it is important that all employees receive thorough training in information security awareness and best practices. It is important to limit data sharing and state availability restrictions so confidentiality is not inadvertently breached.
The importance of physical restrictions should not be underestimated. Remember, unwarranted access to your building can facilitate unauthorised data access. Door codes help to ensure your building remains secure. They should not be written down and staff should be vigilant in ensuring no one is watching or recording them input codes. Similarly, many organisations insist that their employees wear ID badges, this makes it easier to identify non-employees within your workplace. ID badges should be worn at all times within the workplace but never outside of work. Wearing them outside of work enables criminals to quote your details (e.g. name, position and organisation) in an attempt to gain access to your building. Areas containing particularly sensitive information can be protected by extra access restrictions e.g. an additional door code.
Passwords are another basic, yet vital, means of protecting your information. A strong password is at least 8 characters long, contains upper and lower case letters, numbers and special symbols. Passwords should never be shared (even with your colleagues or IT providers) and should be changed immediately if discovered. Changing your password regularly allows hackers less time to guess it and stops them from using your account if they have already obtained your password. You should change your password at least once every 90 days.

What is Integrity?
Upholding integrity means that measures are taken to ensure that data is kept accurate and up to date. The integrity of your data impacts how trustworthy and conscientious your organisation is. One of the eight Data Protection Principles (which are the foundations of the Data Protection Act 2018) is that data should be ‘kept accurate and up to date’. Users must make sure that they comply with their legal duties and fulfil this requirement. It can be useful to assign individuals specific roles and responsibilities regarding data integrity. This way employees cannot shelve the responsibility and expect someone else to pick up the slack.
What is Availability?
Availability means guaranteeing reliable access to information by authorised personnel. In order to be readily accessible, data must be stored in a logical yet secure system. High availability aids rapid business processing and ultimately benefits your organisation. It is every user’s responsibility to file desktop documents in a way that makes them easy to locate in the future. Similarly, paper copies should be filed securely and not left lying around.
Copies should be made to ensure important information is not irreversibly lost. Certain storage methods are more vulnerable to loss and theft than others. Information on portable storage devices, such a USBs, is particularly vulnerable. That’s why this information should be encrypted and backed up. Temporary displays (e.g. whiteboards and charts) are similarly vulnerable to prying eyes, and information recorded in this way should be transferred to a more permanent, confidential place at the earliest opportunity.
It is business owners’ responsibility to implement a thorough business contingency plan, allowing rapid disaster recovery. This ensures minimal disruption to service. Getting information systems up and running as soon as possible ensures that there is not an excessive interruption to information availability.
Data is often shared, not only within your organisation, but also to individuals outside of your organisation, such as customers, business partners and the general public. Emails are a quick and easy way of sharing data around the world, especially convenient when transferring big data sets. However, information sent over the internet can sometimes be intercepted and accessed by hackers, compromising confidentiality. Encrypting your information can make it harder for hackers to access, as without the decryption key the data will appear to be nonsense.
Why is the CIA Triad So Important?
Good information security practices protect the data subjects your organisations hold data about and the company’s assets. For instance, unauthorised access to personal data could result in identity theft, harm to individuals’ rights and freedoms and emotional damage.
As well as protecting data subjects, information security is crucial in protecting your organisation. Not only does it protect your business data from being exploited, it also shields you from the damaging repercussions of data breaches. Poor information security can result in: confidentiality breaches, data loss, data inaccuracies and wasted resources. This can culminate in massive reputational blows, along with disciplinary action if those involved acted mindlessly or if proper training was neglected to be offered. Possible disciplinary actions range from internal procedures to hefty fines and legal prosecution. Proper training for all staff members is essential in raising awareness of and properly implementing the information security principles.

Our control measure Courses

Card schemes are payment networks linked to credit and debit cards. By becoming members of card schemes, banks and other eligible financial institutions are able to issue cards operating on the network of the scheme. Examples of card schemes that operate in the United Kingdom (UK) include:

• American Express
• Maestro
• Mastercard
• Visa (including debit)

Card schemes play an important part in the card payment cycle. This cycle represents how cardholder data is stored, processed and transmitted in order for a transaction to go through. After the acquiring bank has connected and processed a transaction, the card scheme sends an authorisation request to the issuing bank. Once they’ve received a response, they send the information back to the acquiring bank. Therefore, card schemes are an essential component of successful transactions with a third party, such as a retailer.

When using an American Express card, however, the process is slightly different. American Express acts as the card scheme, issuer, and acquirer all at the same time. This means that there are no charges between the acquirer and the issuer. American Express earns most of its income from the discount fees charged to retailers who accept its cards. This is why some businesses refuse to accept American Express as a form of payment. Other credit card brands, such as Visa, generate revenues based on the number of transactions processed, whereas American Express can avoid issuers and acquirers because it earns discount fees directly from retailers.

What are card scheme responsibilities?

The Payment Card Industry Data Security Standard (PCI DSS) represents a set of requirements for any entity, including card schemes, that handle cardholder data. The PCI DSS is in place to protect client payment card data, as well as the profitability of organisations.

As part of the PCI DSS, card scheme responsibilities (American Express, Discover, JCB International, MasterCard and Visa) are:

• Tracking and enforcing PCI DSS compliance
• Setting validating and reporting requirements (each card scheme differs)
• Providing definitions of merchant and service provider levels
• Giving penalty, fee and compliance deadlines for any non-compliance identified as a result of audits and assessments
• Approving and posting compliant PIN and payment machine entries
• Setting guidelines for forensic investigations
• Responding to payment card data compromises at any time, as well as those identified as a result of audits and assessments
• Monitoring these payment card data compromises

The PCI Security Standards Council sets the payment card standards. With the main card schemes, the council provide tools to help with PCI DSS implementation, assist with education and awareness and approve Qualified Security Assessors (QSAs). Card schemes can also rely on the council to perform on-site PCI DSS assessments to ensure that organisations are following the relevant requirements.

Why are these responsibilities important?

There are many severe consequences associated with non-compliance with PCI DSS, which can impact customers, merchants, service providers and financial institutions. The responsibilities assigned to card schemes involve controlling businesses’ compliance with PCI DSS, with the overall objective of protecting personal data. It’s important for card schemes to execute these responsibilities effectively in order to keep consumers’ sensitive information safe and reduce the risks of substantial fines for companies. With poor adherence to PCI DSS, data breaches are far more likely to occur. If this incident arises, the financial penalties and consequent reputational damage caused to the organisation can result in them going out of business. It’s essential that card schemes manage these risks by monitoring the conduct of companies to ensure they’re behaving responsibly and respectfully towards their customers’ data.

The need to protect our personal information is just as much of a priority as protecting our physical possessions is. Information-system security, also known as ‘infosec’ refers to the process of protecting an organisation’s data, as well as the information it processes about customers, suppliers, and so on. The nature of organisational information means it could be seen as valuable to unauthorised people, such as cyber criminals/hackers. People like this collect information (e.g. email addresses and passwords) and can sell them on for money, or else use them for phishing scams, identity theft, and more.

Not only does information security refer to data stored on our devices such as office computers, but it also means protecting information in other forms such as telephone conversations.

Threats to information security can come from all angles. Cyber criminals are constantly developing new ways to catch us out so that they can access to information, harvest what is valuable, and use it for malicious purposes, such as reselling on the Dark Web. Trading sites on the Dark Web can attract up to 80,000 users at a time and are notoriously difficult to trace. Sites sell a range of products from credit card details, to identities, and stolen high-end goods.

Employees

Perhaps surprisingly, security threats can come from within an organisation rather than an outside source. This is because your employees serve as the frontline defence against data breaches and, as such, need an awareness about best practice and recognising/reporting suspicious behaviours. A lack of awareness training means that employees aren’t able to detect the threats that challenge them, and as a result the company is vulnerable to breaches.

Emails

Cyber criminals love emails because they can send malicious content directly to thousands of inboxes in seconds. If just one user in thousands clicks on and downloads the content of one of these emails, your entire network could be infected before you know it. Some software can even create a permanent, and hidden, entry point for hackers to come and go on your machines as they please.

Social Media

People share lots of information on social media, making the lives of hackers and impersonators easy when on the lookout for new victims. The informal nature of social media platforms means many people don’t view the information they share and make public as all that valuable – and people tend to have their guards down when it comes to using the sites. However, all it takes is one fake connection to send a malicious link or crack your password, and they could have access to your entire list of connections and control of your profile.

Poor Password Policies

The amount of passwords most of us have to recall now can cause people to resort to reusing some or even just one password for all our online accounts. Unfortunately, this is a big information security risk since, should one account be hacked, all your accounts become vulnerable to the same. Criminals use impressive software that can make millions of password attempts in seconds. Pair this with the fact that the most popular password out there is currently “password” (ironically), and you have a recipe for disaster. Remember, password managers can help you remember and secure strong passwords, as well as regularly update them to avoid hacking attempt.

Lack of Software Protection

Failing to use security software, such as antivirus and firewalls invites opportunistic cyber criminals to take advantage of the information stored on your digital devices. Whilst not a 100% guarantee of security, security software is a vital tool when it comes to keeping information secure and can deter criminals looking for easier prey.

Outdated Software

As stated above, the protection gained from the appropriate software means additional layers of security from cyber criminals, but how you look after this software is just as important. It’s imperative that all security software, as well as other software such as operating systems and apps, are updated when prompted. Your employees should know that that clicking ‘remind me later’ endlessly will lead to unnecessary risk.

Crime-as-a-Service

This refers to the change in working patterns of cyber criminals. Rather than a lone figure in a dark room, hacking and cyber theft are often organised groups of criminals. Hacking is no longer ‘just’ a hobby to cause chaos, the money on offer means that the whole process is much more sophisticated, and cyber criminals can make more money online that, say, drug trafficking or other more traditional organised crime activities.

Growing Connections

The more that something is shared, the more people can access it. Growing interest in things like social media, where the intent is to share information, mean that ‘going viral’ applies equally to malicious software and links as it does to the fun/interesting content we see. Additionally, the Internet of Things (IoT), or the way that devices are now made to connect with each other (such as your fridge texting your phone that you’ve run out of milk), all aim to connect devices for convenience. Unfortunately, this can mean that malicious content is no longer contained in one place, making it easier for hackers to find a weak link in the chain.

Portable Devices

Data breaches are a problem with USBs/phones/tablets as their portability means they are hard to track and manage – and easy to lose sight of. Personal or sensitive data stored on these devices should always be encrypted to protect it from unauthorised access, and USBs and CDs, etc. should be scanned for viruses prior to use.

Pretexting

This is the equivalent of someone impersonating a legitimate source over the phone in order to coax confidential information from you through building up trust (what is known as social engineering). Examples include impersonating your bank and pretending to require your PIN number. In instances like this, your card may have already been duplicated (perhaps via ATM scanning) and the PIN number or CVV code could mean that criminals can use it to purchase stolen goods or facilitate crime. Remember, if in doubt, hang up the phone and contact the organisation through their legitimate phone number to enquire.

Information security is about ensuring your information is properly protected and that your information systems function efficiently. The information security triad is built upon three principles: confidentiality, integrity and availability. Availability means ensuring data is ready for use by those who need it, which incorporates its recording and sharing. Data inevitably needs to be recorded for future reference and for processing. Often it will also need to be shared, frequently within your organisation, but also outside of your organisation, or even outside of the country. It is your responsibility to ensure that information is properly secured during these processes.

Recording information

Information can either be created or downloaded online. The process by which you record information must be tightly regulated and safeguarded in order to protect it. When recording information, it is good practice to know where the master version and subsequent copies will be stored and who they will be passed on to.

Employees should not use unsupported or unauthorised software on work machines as it puts the security of your IT systems at risk of infection. Use of untested software may ultimately stop your systems from working. Unofficial downloads may be accompanied by malware, consequently compromising your systems. It is important to stress that downloading and using unlicensed software is illegal. There is no justification for doing so and you may find yourself and your organisation the subjects of legal prosecution. Many organisations require admin-authorisation in order to download software onto work machines.

Any information that employees record on paper should be disposed of properly and confidentially once it is no longer required. Any sensitive and confidential information should be shredded in order to prevent unauthorised access and uphold individuals’ data rights. Similarly, paper copies should not be left lying around on desks or in copiers, instead they should be filed securely and appropriately or properly disposed of.

If information is only needed temporarily, it can be recorded on display materials, such as whiteboards. But you must ensure that no private or confidential information is recorded as it can be readily accessed by unauthorised eyes. Information should be removed from displays immediately when no longer required.

Sometimes employees will be required to record information that has been discussed in conversation. This should be done as soon as possible, while it is still fresh in your memory in order to be as accurate as possible. It is important to use a private meeting room when discussing sensitive and confidential information to ensure you are not overheard. It should not be discussed with anyone who is not entitled to have access to the information for professional reasons.

Sharing Information

Data may be shared with a variety of individuals, but most fall into one of the following categories: employees, customers, and the public. Data processors are organisations that process data on behalf of a data controller (the organisation that owns the data). When outsourcing data-processing to a third party, it is important to remember that the ultimate responsibility for the information remains with you, the data controller.

Within your organisation, information should only be shared with those who are entitled access to it. When sharing customer’s data, you must first issue a privacy policy notice outlining the way in which their data will be used and who it will be shared with.

A commonly used means of sharing electronic information is via email. However, this comes with its own set of risks. Hackers may intercept emails sent over the internet. Emailing information also makes it very easy to attach the wrong set of recipients, therefore allowing unauthorised individuals access to the information within your email. In August 2015, the holiday firm and household name, Thompson, mistakenly sent the details of nearly 500 customers to the wrong mailing list. Details included name, address, contact details, flight number and holiday dates. This data breach resulted in many holiday makers cancelling their holidays for fear of being burgled. Phishing emails, a method of social engineering, are another noteworthy threat. Social engineering is where criminals trick people into giving away useful information. In phishing scams, criminals pose as genuine individuals/businesses and mislead you into disclosing important information. Solid information security training allows your staff to remain vigilant to social engineering scams. Emails may also contain malware, such as viruses, that infect your system if opened, rendering your whole IT system vulnerable to attack.

When sending private and confidential information over email you should ensure your email is encrypted. This means that without the key to decrypt it, the recipient will receive a nonsense document. This overcomes the dilemma of sending an email to the wrong recipients. You must be sure that any emails you open are from genuine individuals, if you receive an unexpected email from an unknown address you are best not to open the email and instead report it to your manager or to IT support. This is to avoid falling for social engineering scams and to prevent malware from entering your systems.

Whilst many aspects of business have become governed by technology, a substantial proportion of correspondence still occurs via post. Whilst it may sound obvious, before sending information by post, it is crucial to double check the address. Frequently, pages are picked up together from the printer and recipients acquire the first page of whatever has been printed next. If this information is confidential you could find yourself suffering disciplinary action for a data breach. Therefore, you must ensure you include only the information you intend to. When sending information that is particularly sensitive it is advisable to explore protected ways in which it can be sent. For example, you might consider sending it recorded or special delivery or even with a courier.

Why is it Important to Implement Good Practices for Recording and Sharing Information?

Effective information security allows you to optimise your data and feel confident that your security risks are under control. It protects not only your own interests, but also those of your customers and all other individuals/organisations that you hold information about. This protection allows customers and partners to have trust in you and safeguards your reputation. As well as vitally upholding your reputation, information security ensures that you meet your legal and regulatory responsibilities. Poor information security, on the other hand, may result in data losses, confidentiality breaches, legal action, hefty fines and putting the affected individuals at risk.

It is essential that organisations are familiar with their legal requirements when it comes to data storage and access. The General Data Protection Regulation (GDPR) is an EU directive that regulates the handling of personal data. Fines for breaches may amount to €20 million, or more for organisations with large turnovers. Access restrictions differ dependent on the sector you operate in, for example, The Freedom of Information Act 2000 allows public access to information held by public authorities. Regulating storage and access permissions, and ensuring employees are aware of best practices, will help protect your organisation from damaging information security breaches.

Storage Principles

Given the technological world we live in, a large proportion of data is stored electronically. Consequently, it must be adequately protected to prevent data breaches. It is important to manage things like desktop files and data bases effectively, allowing them to be accessed quickly and easily by yourself and colleagues but maintaining the integrity of the data they hold. Remember, screens should never be left unlocked when unattended as unauthorised people could gain access to sensitive information stored on your PC if it is not encrypted.

Mobile devices such as laptops and phones are accompanied by an additional set of risks. Care must be taken when transporting mobile devices out of the office as they may be lost or stolen. Mobile devices should be kept on you whilst travelling, and extra care should be taken when using them, as this is a prime opportunity for theft. If any work devices are lost or stolen you should report the absence to your organisation immediately. Sensitive information should not be stored on laptops unless it is encrypted. Encryption means that, without possession of the specific key (an algorithm to reverse the encryption), the information is nonsense to anyone who attempts to access it. Laptops should not be lent to anyone who should not have access to the information it contains. Nor should they be connected to external data networks, unless they have recently been connected to the corporate server and had their security tools updated.

Paper or hard-copies are subject to data protection regulations just like electronic data, and should be treated accordingly. Important information should be filed properly into secure cabinets so it is safe but accessible by authorised personnel. Any paper-copies that contain sensitive information should be shredded as soon as they are no longer required and disposed of properly/recycled. You must make sure that no sensitive information is left lying around on desks or cabinets, some organisations ensure this through implementation of a ‘clean desk’ policy. Similarly, password protected photocopiers should be used and awareness about leaving papers in the copier/scanner raised, e.g. with office poster campaigns.

Portable storage devices (e.g. USBs and CDs) should be subject to increased levels of protection. They should not be taken out of the office without authorisation to do so. Again, given their portable nature, they can easily fall into the wrong hands or be misplaced. In order to minimise the chance of unauthorised data access, these devices should be stored in a secure place and files should be encrypted. Any information stored on portable storage devices should be backed up to a hard drive at the nearest opportunity. Due to the increased vulnerability when using these device, personal and sensitive information should not be stored on them unless strictly necessary. Portable storage devices should never be plugged into an unknown PC without a virus scan to ensure both devices are clean and free from malware. Plugging an infected portable device into a PC could result in the virus being spread to entire office networks.

A less permanent form of information storage is on temporary displays (e.g. posters and whiteboards). Information stored on whiteboards should be limited to what is strictly necessary and must not include any personal, sensitive or confidential information. Anything displayed on whiteboards should be accurate and must be removed as soon as possible.

Access Principles

The importance of simple measures designed to maintain the security of your office building should not be underestimated. Unauthorised access to your building could result in theft, release of stolen information, confidentiality breaches, risks to the privacy and safety of employees and customers, legal action, and disruption to business functions. Door codes or electronic fobs should be used to gain entry to the building and employees should be trained not to write the code down. Many organisations insist that employees wear ID cards. If implemented, these should be worn at all times within the building but never outside of work. If worn outside of work, criminals may quote your information (e.g. name, company and position) to gain access to the building. Two factor authentication can be implemented to add an additional layer of security, preventing unauthorised personnel from accessing information they shouldn’t. This is where users have to provide two things to gain access, normally something that they know (like a door code) and something that they have (like a fob).

Passwords are essential frontline access restriction tools. A strong password is at least eight characters long; contains upper and lower case letters; contains numbers and special characters and is not easy to guess. You should not share your password with anyone, even you manager, IT support and colleagues. If you disclose your password and crimes are committed using your login credentials then you are responsible for them. You should change your password at least every 90 days and immediately if someone discovers it.

Why are Good Storage and Access Practices important?

Good storage and access practices ensure information security compliance. This not only benefits your organisation, shielding it from fines, reputational damage and impaired functioning, but also all those whose data you process. Data breaches can lead to individuals having their rights and freedoms compromised and result in emotional, physical and material damage.

Information security breaches within the health and social care sector often have greater backlash due to the confidential nature of information held by these organisations. In 2017 it came to light that an IT system used by 1/3 of UK GP practices enabled unauthorised access of patient’s medical records. A massive 26 million patient’s data was breached as their records could be accessed by healthcare workers across the UK, for no legitimate reason. Doctors were informed that they had unknowingly breached their patent’s data protection rights and could be subject to complaints and even disciplinary action. An inappropriate lack of access restrictions in this case led to millions of patient’s data being compromised. Learning points from past breaches should be used to inform practice within your organisation and escape similar repercussions.

A payment card is a branded debit or credit card that is electronically linked to an account and used to pay for products and services. Businesses need to pay special attention to the way they handle these payments, as negligence in this area can be detrimental to your company’s reputation. This means that organisations must adhere to the industry requirements set by the PCI Security Standards Council, the Payment Card Industry Data Security Standard (PCI DSS).

Who needs to be PCI compliant?

Any entity that stores, processes or transmits cardholder data should comply with PCI DSS. PCI compliance is split into four levels, and the exact requirements for each depend on your business’ annual transaction volume.

There are four main types of businesses that must be PCI compliant, including:

1. Merchant: A merchant accepts a payment card from a cardholder in return for products and services.
2. Service providers and third parties: A service provider or third parties such as payment service providers and software vendors. These entities store, process or transmit cardholder data on behalf of a merchant.
3. Financial institutions: A financial institution processes, stores and transmits payment card data when carrying out transactions such as investments, loans and deposits. These include entities such as banks, insurance companies, investment dealers and brokerage firms.
4. Card schemes: Card schemes set and comply with the PCI DSS standards.

However, if you choose to use a payment gateway, the payment provider takes responsibility for PCI compliance. They are obligated to protect and encrypt any data, especially if it is entered into your website. When choosing a payment gateway, it’s important to consider how high their PCI levels are to ensure that payments processed on your page will be properly protected.

Merchant and Service Provider Levels

Merchant and service provider levels give a ranking relating to annual transactions. This ranking determines the risk level of a merchant or service provider, and the appropriate level of security for their business. This also determines the assessment and validation requirements for each merchant and service provider. A merchant will have four levels, whilst a service provider has two.

There are also fees to become PCI compliant. The extent of these costs depends on the size of your business, the level of security you already have in place and the technology you use. You may need to address or upgrade some of these things in order to make your business completely PCI compliant.

What does the law state around PCI compliance?

Technically, compliance with the standards for PCI DSS is not required by law in the UK. However, non-compliance often leads to hefty fines set by the payment brand. The size of the fine will vary depending on the number of card transactions processed. It’s also important to note that data losses often involve the loss of personal data, which means breaching the Data Protection Act 1998. The Information Commissioner’s Office (ICO) has enforcement powers to impose fines of up to £500,000 for this. Therefore, whilst PCI compliance isn’t officially mandatory, you should regard compliance with the same level of responsibility and vigilance as you would a legal requirement.

Why is PCI compliance important?

PCI compliance is often regarded with a level of apprehension, as there is still a sense of ambiguity surrounding the various associated procedures and risks. Whilst it isn’t a law, reports suggest that in 2015, 90% of organisations suffered data security incidents. This highlights how no business is immune to problems with PCI DSS, so it’s essential that your payment processing life cycle is secure.

If you have suffered from data compromise, you are obligated to communicate with a PCI Forensic Investigator (PFI) in order to establish the source of the breach. This can cost thousands of pounds, which you will liable for if the investigator finds evidence of non-compliance. You may also be required to pay Card Scheme fines, which are passed to the acquirer then to the merchant. These fines can be so great that merchants are forced to stop trading.

As well as fines, there are also fees associated with PCI non-compliance. If your business fails to comply with PCI standards, you could be at risk for data breaches, card replacement costs, costly forensic audits and investigations into your business, brand damage, and more.

Even more important than the monetary dimension of PCI compliance is the inherent ethical obligation businesses owe to their customers. Consumers trust you with valuable personal information, and so being compliant with PCI DSS means that you’re doing your very best to keep their data safe. If your business becomes affiliated with irresponsible management and control over data security, the consequent reputational damage will most likely lead to diminished sales and financial losses.

Case Study

In 2010, the handmade cosmetics company Lush Cosmetics experienced the consequences of negligence towards PCI compliance. After placing online orders with Lush, several customers reported noticing fraudulent transactions in their bank accounts. Lush responded to this by releasing a ‘Customer Notice’ explaining that their website had been hacked and encouraging customers to contact their banks for advice. This prompted an investigation, which found that Lush hadn’t taken adequate steps to protect their customers’ data and had failed to undertake regular security checks. The retailer was found guilty of breaching the Data Protection Act 1998 (DPA) and fined. Perhaps more significantly, however, they lost the trust and confidence of many customers.

Becoming PCI compliant and maintaining that compliance might seem like a lengthy process. Meeting industry standards often means negotiating many complex procedures including implementing security controls and hiring an expensive third-party consultant to install costly software and hardware. However, Lush is a prime example of the disastrous consequences faced by businesses that don’t respond to PCI DSS responsibly.

Related Courses

Information security could not be more topical at the moment, and information (often stored on multiple devices) is now just as valuable to criminals as our physical possessions. This means, in the same way you set intruder alarms and invest in home insurance, taking protective measures for your information and data needs to be a priority for everyone.

Technology really does seem to be man’s best friend now. We rely so heavily upon it to store and transfer data at the push of a button, and much of this information could be very valuable should it get into the wrong hands. Our reliance on technology means that it is has created a new breed of criminal – one ready to take advantage of any information security vulnerabilities they can find in order to gain unauthorised access to data. They could target either individuals or entire organisations depending on their skillset and level of commitment. The relative ease at which cyber-crimes can be committed (it’s easy, e.g., to send tens of thousands of phishing emails in under a second), and the sheer amount of information stored on computers, means that digital information security is perhaps the most at risk; a fact that means the steps we take to protect ourselves need to be improved.

Approximately 4,000 malware attacks are happening every day, many of these being ransomware, where criminals lock/encrypt the user’s device and demand a payment in order to undo their actions. Teamed with the fact that 230,000 new forms of malware are being developed every day, burying our heads in the sand definitely won’t help mitigate the risks.

Problems from Within

It’s important to remember that no organisation is immune to information security breaches. Many business heavyweights have been exposed as victims to cybercrime. Ebay, the online auction giant, was hacked in 2014 for example, resulting in the criminals getting hold of the details of 145 million users. The perpetrators were able to get into the network using the credentials of three corporate employees. This entry point gained them access to everything, eventually exposing the databases with customer information.

Names, addresses and passwords were compromised, although thankfully users’ credit card details were stored elsewhere. All the same, the company was criticised due to the amount of time it took them to contact users about the breach and prompt them to change their passwords. This solution should have been enacted much more quickly than it was, and put peoples’ data at an unnecessary risk – especially those who re-use passwords across other platforms and services. As a result of the scandal, user activity on eBay declined, highlighting that even the most successful household names can be tarnished by information security breaches.

Email problems

Criminals can use emails to send malware, e.g. in malicious attachments, or by prompting recipients to click on hyperlinks that really begin a download process. By downloading unknown attachments or clicking on such links, users could inadvertently download malware that could infect the entire organisation’s network. They may also download a means by which for hackers to have permanent entry points to company servers, data bases and so on. These can go unseen and undetected for months and years.

Phishing emails are another way that criminals can find a way in to gain access to confidential information via email. By posing as a legitimate source, such as your bank, criminals request information via authentic-looking, branded emails and fake websites. It only takes one recipient in thousands to fall for the scam in order to make it worth hacker’s while. Once they have the log in information or account details required, cyber criminals can access your real account or sell the information on.

Email solutions:

Security gateways are a good way to for you to control more of what finds its way into your inbox in the first place. The gateways are able to detect and block harmful content from getting into the network, as well as preventing the transmission of sensitive data such as credit card information. This could be in the many forms of malware, phishing attacks, and general spam.

Basic email awareness training shouldn’t be considered ‘dealt with’ if you have a gateway. Although they do a lot of good in strengthening your information security efforts, human training should be a priority too. Harmful emails can still find their way into an inbox, and all it takes is one member of staff to click on a disguised link to infect the network. As such, awareness training to create a compliance culture is a must to mitigate risks and empower members of staff to spot threats and suspicious activity. A clear whistleblowing policy will also help honest employees share suspicions should they have any.

Social Media problems:

Our love-affair with social media is something that isn’t going to disappear any time soon. The average person spends up to two hours a day checking and sharing information on the platforms. The problem with this is the amount of information we are willing to share, all because we view it as an informal, fun space rather than a place that could be under threat from criminals. Unfortunately, it is exactly this attitude that means it is where hackers flock to when looking for a new victim.

Cyber criminals can use social media to build fake-profiles and connect with many people in the hopes of being accepted on their friends list. Much like with emails, it only takes one user to accept a request for it to become much easier for cyber criminals to then connect with their connections more legitimately, as in ‘friend of a friend’. One example of this came in the form of ‘Mia Ash’, a so-called London-based photographer that made links with corporate employees under the guise of working together. Once she’d built up enough connections, she sent out a strain of malware known as a trojan horse, a virus disguised as harmless, inviting people to open it. The use of social media allowed her to gain a certain level of trust with audiences from all over the world, thus spreading the malware far and wide and causing more havoc.

Social Media solutions:

The privacy settings on social media platforms allow users to control who can see the information they put out there. Users of social media should always be aware of their level of privacy, and review it regularly as settings change, particularly information shared with third-party applications. Although there are lots of social media sites out there, all with slightly different privacy settings and requirements, most social media platforms make it easy to adjust privacy under the settings page of their websites and apps.

Once again, a mixture of software/settings and awareness training is the most effective step you can take in maintaining information security

Related Courses

Whether you’re suited and booted in the office on a Monday morning or at home in your slippers on a cosy Sunday night, you need to keep your computer safe from cyberattacks. By doing all you can to protect your PC, it’s possible to reduce the likelihood of hackers gaining unauthorised access to your machine and network and, as a result, you can keep your personal and business information private.

Hackers work in a number of ways, all with the same aim of gaining something for themselves. This might mean accessing your bank account first hand, selling your sensitive data on the dark web’s black market, or going as far as carrying out identity theft through piecing together the information they can find and posing as you online.

How to Keep Yourself Safe from Hackers:

Software

There is software you can use to protect your computer which will act as a deterrent for hackers on the lookout for an easy target. It’s true that no software can guarantee 100% protection, but it makes things much harder for the criminals to find access points, making it more likely that the attention of the hackers is diverted elsewhere.

Antivirus software works by carrying out regular scans of your computer and removing items of malware it detects as it goes. Combining antivirus software with firewalls (software that monitors incoming and outgoing network traffic on your machine) means that users will significantly reduce the chance of cyber criminals successfully infiltrating your machine.

Remember, all protection techniques need to be updated regularly to ensure they are up to date with the latest threats and know what to look for and must be combined with information security awareness training for the user (see below). The cybercrime scene is constantly developing due to hackers always wanting to find new ways they can attack users. This means that keeping your software up to date is paramount.

Emails

When emails first came about in the late 80s-early 90s, they became an easy target for cybercrime. They were, for all intents and purposes, an online postal system for hackers to direct attacks toward. Ensuring users remain vigilant about the risks involved with using emails is a simple way to increase your levels of protection, even as commonplace as email seems today.

59% of UK business leaders view emails as their greatest worry when it comes to hackers. This is because emails may include malicious attachments or links that, once clicked on, create an entry point for malware to infiltrate computer systems. This can then give hackers access to your personal information or lock you out of your system completely and demand money to take back control. Whichever way they do it, the problems can all start from an email.

Using an email security gateway is a good way to filter emails and get rid of suspicious looking items before they get the chance to hit inboxes. Gateways are able to detect and block harmful content from getting into the email network, as well as preventing the transmission of sensitive data such as credit card information. This harmful content could range from malware to phishing scams to general spam/unwanted content.

Passwords

A secure password is the first line of defence against hackers and cyber criminals. Although it seems simple, setting a good password is something that not enough people are prioritising. For example, the number one password currently under use is ‘password’, and not only this, but the same password is regularly being used for multiple accounts. This means that if a hacker cracks one password, they could potentially gain access to all your accounts, whether that means your social media or your online banking.

A strong password should be at least eleven non-sequential characters long, containing upper and lower-case letters, as well as numbers and symbols. This means that the software hackers use to crack passwords won’t get anywhere with yours, especially if you are updating them over time too. Cracking this password would take hundreds of years compared to only seconds for weak passwords.

Trying to remember a different password for each and every account can seem like a hard task, hence why people are tempted to cut corners in the first place. However, using a password manager is a much better, more secure, option. Password managers work by storing all your login details for each site all in one place securely, and changing them regularly. All you need to do is remember one password to access all of them.

By remembering your login for the manager, it will automatically enter your login details for the individual sites when you visit them. Think of it as a safe that stores all your valuable online information and encrypts it for you. Passwords, credit card numbers, security numbers, and any other sensitive data can all be saved into the manager, giving you peace of mind and freeing up some brain space!

Social media

The amount we use social media, and the amount of personal information we share without thinking about it means it’s a tempting platform for cyber criminals. Using information we share about ourselves, criminals can personalise their attack to appeal to our interests. They may also impersonate or take-over our contacts’ profiles and get us to click on fake websites, begin malicious downloads, or offer up confidential security information.

Remember, social media platforms allow users to control who sees information they put out there. If you use social media, you should be aware of your privacy settings, and review these regularly as they can change with new updates. Users should ensure they are only sharing information and pictures with people they know in real life and can verify are authentic.

Social media tip – save your holiday photos for when you return! Don’t advertise to your contact list that your house is empty.

Security in the Workplace

The steps you take to maintain the information security of your organisation are much the same as the individual protection measures listed above. The only difference is that the losses affect more people if they aren’t followed, and maintain security is as much about teamwork as it is about information security awareness.

Usually, the computer systems at a place of work are all linked via a network, so if one computer is infected, the malware can quickly spread to everyone in the organisation. This danger, combined with the use of mobile devices, means that malware can quickly spread far and wide. Keeping one computer safe isn’t enough, there needs to be consistency and communication throughout the whole company.

Training and Education

Keeping yourself safe in the workplace is the responsibility of everyone, starting from the top down.

Not only does information security training make employees aware of what to do should the worst happen, but it also means they are vigilant of the signs to look out for to prevent a hacker gaining access. At the end of the day, your employees are the first line of defence for your organisation, so educating them about security risks and best practice is one of the best ways to keep information secure on your computers.