Did you know that 84% of all data breach caseloads included payment account data? And that according to Verizon's Data Breach Report, 93% of data breaches had financial motives by bad actors? For dealers who manage customer payment, banking and other financial related information in their ERP systems, Dealer Management or Business Systems, PCI-DSS compliance is an imperative. Put simply, dealerships out of compliance will likely see their cyber-liability premiums skyrocket.
To assist dealers, here is a quick Sedona Safeguard cheat-sheet on the PCI-DSS Compliance Framework (v4.0) from the PCI Security Standards Council® to ensure your dealership is safely handling cardholder data to prevent fraud and data breaches.
The Basics of the PCI-DSS Compliance Framework v4.0
As a dealer, you hold a pivotal role as merchant within the payment ecosystem. Your dealership must be at the forefront of a critical effort to safeguard customer payment data from theft and exploitation. Inadequate security measures will allow cybercriminals to easily access and misuse customer financial data. Vulnerabilities can manifest throughout the card-processing technical supply chain, including POS devices, cloud-based systems, mobile devices, computers, servers, routers, e-commerce applications, and so on. These vulnerabilities also extend to systems managed by your technology and business system service providers all the way to connections with your dealership's financial institutions. Adhering to PCI-DSS compliance is essential in mitigating these risks and vulnerabilities to safeguard customer payment data.
What are the principles of PCI DSS compliance?
Core to the PCI DSS compliance framework is protecting customer payment information including:
- Card and Cardholder Data
- Ensuring a secure network and systems
- Implementing strong data, system and device access control measures
- Regularly monitoring and testing networks
- Maintaining an information security policy
- Maintaining a vulnerability management program
How do businesses comply with PCI DSS?
- Assess: Identify all locations where cardholder data is stored, conduct a comprehensive inventory of IT assets and business processes related to payment card processing, and perform an analysis to detect any vulnerabilities that may expose cardholder data.
- Remediate: Address identified vulnerabilities, ensure the secure elimination of any superfluous cardholder data storage, and implement secure business processes.
- Report: Prepare detailed documentation of assessments and remediation efforts and submit compliance reports to the relevant compliance authority.
- Monitor & Maintain: Ensure that the security controls established to protect payment account data, and the surrounding environment remain effective and operational throughout the year. These routine processes should be integrated into the organization's comprehensive security strategy to guarantee continuous protection.
What Should Dealers Do?
To ensure compliance to the PCI-DSS v4.0 at minimum dealers should focus on 3 key areas as required by the framework:
- Penetration Testing - Either once or twice a year an external and internal pen tests are a great way to identify the areas of vulnerability across your network and devices.
- Vulnerability Scanning - Additionally, at least once a month, you should run a network, device and endpoint vulnerability scan. This will help you provide insight to where on your network has the vulnerability.
- PCI-DSS Assessment - Document the location of cardholder data and conduct an audit of the systems and tools we use to transact and store cardholder information will allow dealers to understand all the nooks and crannies in your IT environment that can be vulnerable to a breach.
Don'f forget 93% of data breaches have financial motivation by bad actors. Don't let your dealership fall victim to these bad actors and secure your dealership's IT stance today. if you'd like to learn more about PCI-DSS compliance, feel free to reach out via our vCISO services page.