CIOReview
| | MAY 20199CIOReview8. Kmart ­ For the 2nd time in less than three (3) years, battled a malware-based security breach9. Sonic ­ In 2017, payment system resulted in up to 5 million stolen credit and debit card accounts10. Hyatt ­ Two (2) breaches in two (2) years exposing credit card data from 41 hotels in 11 countriesThis is only a partial list of data breaches that affected millions of consumers, but tangible evidence of the fact that securing payment data is no small task, even when you have the luxury of a significant operational budget to account for cybersecurity and compliance.Accounting for PCI requirements necessitates the need for significant planning upfront to develop and implement payment processing methods for customers and other entities that are expected to make payments online. This helps to facilitate the development of a holistic plan to select a qualified vendor, well-versed in PCI compliance, who will implement a secure online payment solution.The selected vendor will then allow for more convenient, secure methods and types of payments which allow the service provider to receive online payments securely via electronic check, credit card, and debit card transactions. Payment channels could include the internet, phone, customer service centers and payment kiosks. In addition, it also imperative that the service provider or business selects a payment provider with a proven solution that has real-time system monitoring and reporting, along with the ability to integrate with the existing accounting and infrastructure.In our modern era many business, utilities and other service providers receive most of their payments for services from customers and other entities via online payments. As such, these payment collection methods have become a major target for cyber-criminals which makes it all the more important that online payments are made in a secure fashion without making the process more cumbersome and time consuming.One proven way to validate that a payment system is secure is through periodically conducting vulnerability scans which involves the use of an automated tool that checks a merchant or service provider's systems for vulnerabilities. The tool will conduct a non-intrusive scan to remotely review networks and web applications, based on the external-facing Internet protocol (IP) addresses provided by the merchant or service provider. The scan identifies vulnerabilities in operating systems, services and devices that could be used by cyber-criminals to target the company's private network. The scan does not require the merchant or service provider to install any software on their systems, and no denial-of-service attacks will be performed.In addition, mitigation strategies should be developed, in case of a breach, and periodic training and testing should be performed to ensure that technical personnel, responsible for supporting payments systems, are aware of the expectations around maintaining a secure payment system.In the end, this doesn't make the prospect of paying bills any more palatable for consumers, but it certainly helps to ensure that customer data is not compromised and that companies are not subjected to hefty fines and negative press that could lead to deeper financial losses. As technical professionals, we can and should each take steps to ensure that online payments are more secure. Vennard WrightAccounting for PCI requirements necessitates the need for significant planning upfront to develop and implement payment processing methods for customers and other entities
< Page 8 | Page 10 >