Wherever people are legally transacting money for goods, there are going to be bad guys in search of a score. It’s just the unfortunate reality of our world increasingly moving to the internet for its needs — wherever the good guys go to transact and do business, the bad guys will follow them in an effort to manipulate and rip off.
As the American e-commerce industry grew by 14.2% in 2018 to total more than $517 billion in transactions, you can be sure that cybercriminals are at work to con people out of their money and personally identifiable information. Consumers can take certain steps to establish their own security, but they must fundamentally share some of this information in order to complete transactions online. They can’t be responsible for protecting information that they necessarily part with.
The burden to protect this information — we’re talking about credit card numbers, security codes, and the like — lies with the businesses that process it. The best of these businesses pursue PCI compliance because they know that it’s an important feather in their cap for retaining consumer trust and pushing back against any would-be cybercriminals.
For those businesses that don’t know where they stand on the PCI compliance front, they only need to conduct a vulnerability scan.
What is a vulnerability scan?
“PCI” stands for “payment card industry.” Businesses that handle credit card details or other sensitive information over the internet must conform to a set of standards and best practices that makes them “PCI compliant.” This means that PCI compliance directly pertains to most businesses operating in 2019. People love shopping online, but they need a safe environment for doing so.
A PCI vulnerability scan is the automated, high-level test that hunts for and identifies potential vulnerabilities in a company’s information technology architecture. It’s like giving a company’s online payment procedure a checkup at the doctor’s office. These tests are conducted by organizations known as PCI Approved Scanning Vendors (ASVs), and they must happen at least every quarter. In technical terms, an ASV will scan all external IPs and domains connected to a company’s payment processing system. They do the heavy lifting of making sure that all the payment information passing through a business’s infrastructure is moving in secure compliance with PCI standards.
Why should you perform a vulnerability scan?
Vulnerability scans give you a look into the overall health and security of how your company processes payments. Depending on your business, this may be a significant portion (or even 100%) of your company’s revenue. In simplest terms, these scans ensure PCI compliance to protect a business’s reputation while protecting its customers from identity theft. Doing this requires identifying potential risks or weaknesses in that business’ software, website, and technology stack. You should perform a vulnerability scan for the same reason you take vitamins — it’s a proactive and preventive measure that guards against potential damage in the future.
For the most effective results, these scans should take place only after a system administrator has implemented new changes to the business’s network. If your business has recently installed new hardware, updated its firewall, or fixed previously identified vulnerabilities, then there’s no time like the present for a new up-to-date scan.
How to perform a vulnerability scan
Ensuring the security and stability of how payment gateways interact with a company’s own information technology infrastructure is highly niche, technical stuff. That’s why this work is predominantly carried out by a certified vendor, not the company itself, to conduct internal and external scans.
Internal scans focus on vulnerabilities that can stem from inside a network’s firewall. These are the risks potentially sleeping on a business’s own network. External scans go beyond that network to consider threats from beyond. They analyze ways that an outside actor could attack the network or otherwise compromise it, yielding actionable information to help administrators patch these vulnerabilities.
These scans will either confirm your company’s PCI compliance or provide you with a clear roadmap for getting there, so don’t ignore them.
Establish your own best practices
Yes, PCI compliance is about meeting industry standards, but your company should have its own playbook for maintaining that compliance after reaching it. As this is a rather technical and specific aspect of business, it deserves a couple members of your staff to be dedicated to making sure the PCI ball doesn’t get dropped. You should not only seek out external experts when it comes to establish your PCI compliance, but you would do well to have a few internal experts on your team working to the same end.
These people’s jobs should include archiving all the relevant compliance documentation in a central organized database — it should be no problem to pull up past scan details, executive summaries, attestations of compliance, and the like. They should also be establishing processes for identifying security vulnerabilities that use reputable external experts, even going so far as to triage potential vulnerabilities as high or low priority.
As technically knowledgeable people, they should also be installing all the requisite security patches for your systems as quickly as possible upon release. They might even install an automated solution in front of public-facing web applications to continually check traffic for detecting and preventing web-based attacks. This team should furthermore be updating everyone on their progress and forecasts during regular company meetings.
While the heavy lifting of a PCI compliance scan is largely carried out by third-party vendors, this doesn’t mean your own company can’t take its security seriously. A prepared team is only going to be stronger in the face of potential attack, so make sure your team is prepared. It will only save you from fines and public relations disasters down the road.
As e-commerce continues to grow in the future, malicious cyberattacks here are no question of “if,” only a question of “when.”
Download Our PCI DSS Checklist
Assess where your organization currently stands with being PCI DSS compliant by completing this checklist. Upon filling out this brief form you will receive the checklist via email.