Case in point: An owner of two small magazine stores was surprised to discover that hackers had installed software on his registers and stolen credit card information. After an investigation, at the owner’s expense, he was out over $20,000 — half his annual profit.
“His experience highlights a growing threat to small businesses. Hackers are expanding their sights beyond multinationals to include any business that stores data in electronic form. Small companies, which are making the leap to computerized systems and digital records, have now become hackers’ main target,” according to a Wall Street Journal article.
In a sense, adhering to PCI compliance standards is becoming something like an insurance policy — one that protects businesses while eliminating unforeseen expenses. Driving that value is the fact that the payment card industry has come down hard on both retailers and other organizations that store or have access to credit and debit card information by imposing heavy penalties for violating PCI compliance standards.
That translates to SMBs focusing more on security and incorporating regular and automated systems management to maintain compliance and prevent hacking.
Luckily, standards exist, ones that make it that much easier to meet PCI compliance. Take, for example, PCI DSS — now in version two — which spells out what is needed to secure the data associated with payment card-based transactions.
PCI DSS shows it takes more than just encryption and secure data storage to meet PCI compliance. Businesses need to incorporate management mechanisms, actively manage their systems and perform audits. PCI DSS includes 12 requirements for building and maintaining a secure network, protecting cardholder data, maintaining a vulnerability management program, implementing strong access control measures, regularly monitoring and testing networks, and maintaining an information security policy.
It is those standards that show where additional value can be wrung out of PCI compliance. After all, improvements in security and operations always lead to measurable results.
Frank Ohlhorst is an award-winning technology journalist, professional speaker and IT business consultant with more than 25 years of experience in the technology arena. He has written for several leading technology and business publications, and was also executive technology editor at eWEEK and director at CRN Test Center.]]>
Administrators are finding out just how scattered across the enterprise their data is. Increasingly, it is being stored on a growing number of new portable machines, removable devices and desktops that make it hard to determine if you are compliant or not.
For example, take HIPPA compliance. Patient data must be protected and kept confidential yet, many times, X-rays or test results are stored on a CD and sent to another medical practice, sometimes carried by the patient. On the surface, if all the rules are adhered to, meeting compliance standards should not be an issue. But when the data is in transit, compliance officers no longer have control, which potentially poses a serious data protection problem.
While it may be impossible to solve such a data protection problem quickly, it does bring up a key issue: Visibility. Simply put, if administrators aren’t fully aware of this process, how can they ascribe to any meaningful compliance standards?
The answer to that dilemma comes in the form of management tools that offer visibility into IT operations. The problem is there is no one-size-fits-all solution that can offer full visibility. This is where administrators have to become creative.
For example, a combination of PC asset management tools, such as Intel’s LANDesk, Symantec‘s Altiris and Dell‘s Kace, can provide the visibility into what’s transpiring on PCs and other endpoints in the enterprise. These tools can be complimented by network monitoring and management tools, like SolarWinds and Paessler, and others can handle reporting on data in motion to round out visibility.
The last step administrators need to take is integrating these tools. By doing so, administrators have a clear map that shows where data can travel, allowing them to take preventative steps to eliminate the dreaded noncompliance discovery during an audit.
Frank Ohlhorst is an award-winning technology journalist, professional speaker and IT business consultant with more than 25 years of experience in the technology arena. He has written for several leading technology publications, including Computerworld, TechTarget, PCWorld, ExtremeTech and Tom’s Hardware, and business publications including Entrepreneur and BNET. Ohlhorst was also executive technology editor at eWEEK and director of CRN Test Center.]]>