As an Official Champion of National Cyber Security Awareness Month (NCSAM), the PCI Council will be sharing educational resources on payment security best practices on the PCI Perspectives blog, and through our Twitter (@PCISSC) and LinkedIn pages. We sat down with Troy Leach, Chief Technology Officer for the PCI Security Standards Council, to discuss the importance of building a culture of security.
What does it mean to have a “culture of security”?
Troy Leach: As we end the month on cybersecurity awareness, it is important to understand that building a culture of security means establishing behavior that is part of an organization‘s daily operations. The responsibility for protecting the company’s assets, including customers’ cardholder data , is a responsibility that must be seen as shared rather than assigned.
Security comes down to three things: people, process, and technology. Breach reports continue to point to the critical role that employees’ security understanding and awareness plays in identifying, protecting against and mitigating data compromise. An organization can have the newest technology and processes in place to protect cardholder data, but it only takes one unpatched system, a default password left unchanged or cashiers not knowing a skimmer has been inserted on a terminal right before their eyes for a criminal to breach an organization. These events can be exploited any day of the year which requires a culture to remain diligent.
Why is it imperative to promote cybersecurity at all levels of an organization?
Troy Leach: An organization’s successes and failures should be seen as shared achievements or downfalls. First, there is the need for senior leadership to promote cybersecurity and establish trust with their customers that any information shared will be protected and not abused or negligently mishandled. The incredible, global commerce platform that we operate within today is built on trust - trust that we will invest in proper security, including thepeople, and the technology or processes we use to accept payments.
But that trust is critical within an organization as well. A culture of security not only elevates awareness to improve security posture but greatly improves the likelihood of success to demonstrate security through compliance. ISACA Journal published the results of a survey by Steinbart et al showing that organizations that worked collectively towards the goal of security were much more successful in meeting compliance metrics than organizations that resisted or saw internal auditors as ‘enforcers’ rather than consultants.
It is in the best interest of companies to create a culture of security to help eliminate internal friction, reduce the overall cost for compliance and improve the everyday posture of security since attacks are becoming increasingly more sophisticated. Only the due diligence that comes with an ongoing culture that prioritizes security can reduce the likelihood of an organization becoming the victim of the next big account data compromise.
Breaches involving third-party vendors are becoming increasingly common. What can organizations do to make sure that their vendors are prioritizing security?
Troy Leach: That is happening for several reasons. First, we have to recognize that while breaches associated with third parties are increasing, our reliance on third parties is growing at an even faster pace. Statistically, it makes sense that we should expect to see an increase with third parties if entities are using these services more frequently .
Having said that, merchants must remain diligent when working with their business partners. It is not enough to sign a multi-year contract and assume all will be acceptable for years to come. This is where “trust but verify” is practical. There should be ongoing assurance that as the service provider evolves, those changes do not affect the security posture of the organization. And, as new threats are introduced, that the service provider is staying current with relevant mitigation. That is why in PCI DSS v3.2 we introduced several new requirements specifically for service providers.
For those looking for help on how to work with service providers and the right questions to ask, the Council published a special interest group paper that shares best practices related to third-party security assurance.
Small businesses often don’t have the resources that large organizations have to dedicate to security. How can they build security into their day-to-day dealings?
Troy Leach: It’s true that small business owners are often not technology experts and tend to rely heavily on the expertise of others. We encourage small merchants without the knowledge or resourcing to rely on the expertise of others rather than trying to do it all themselves. However, ignoring security or implementing it without sufficient expertise allows a merchant to be easily compromised and puts a their business at serious risk. That is why the earlier point on improving service providers’ commitment to good cybersecurity practices is so important for small businesses. Providers must become the advocate for the small organizations that they service and support.
But sometimes smaller service providers may wrestle with some of the same challenges. That is one of the reasons we created resources dedicated to helping small businesses secure their customers’ payment card data and understand what questions they should be asking their third-party partners. .
There is a lot of great information in these resources. For example, as a very first step small businesses need to examine the access to their systems - they should confirm they have changed default or weak passwords, and that passwords they set up themselves are strong ones. This is a simple thing to do, yet we continue to see many small businesses breached as a result of easy passwords like “password1” or “admin.” Criminal will always take the path of least resistance, which is oftentimes, a default password.
Any other advice for retailers that may be a target of attacks?
Troy Leach: Companies should be on the alert for changes to their cash registers and payment or point-of-sale terminals. If you can, lock your terminals to the counter to prevent thiefs from tampering with the device and adding skimmers. Also, train your employees to know what to look for – takes pictures of the terminals and have your employees periodically look for changes such as a different cable extending from the device, changes to the cover of the device, or tampering with the label on the bottom. Finally, be aware of changes in performance of the device. If the transaction is much faster or prompts that normally display during a transaction change, confirm those are expected changes.
Any final thoughts on how an organization can build a culture of security?
Troy Leach: Yes, cybersecurity awareness month is a great time to take a moment and evaluate your payment security, especially as organized crime targets stealing payment card data and spoofing terminals more often in the fourth quarter than any other time of the year.
For those organizations that use an Internal Security Assessor (ISA) or a similar role, it is important to identify individuals that can champion security in every department, not just IT or internal audit. I’d encourage quarterly or more frequent meetings with various departments to maintain awareness of security for them and any organizational or system changes that may impact PCI DSS compliance in the future.
Learn more about creating a security awareness program:
 ISACA Journal Volume 2 2014
Internal Audit’s Contribution to the Effectiveness of Information Security (Part 1)
Paul John Steinbart, Robyn Raschke, Graham Gal and William N. Dilla, Ph.D., CPA