Businesses Dealing With PCI Falling Short On Regular Vulnerability Scans and Pen Testing
Findings in a recent industry report show far too many companies that deal with payment card information are falling behind in their vulnerability scanning and penetration testing responsibilities. Global Digital Forensics offers solutions to help organizations stay on the right side of PCI compliance and substantially strengthen their overall cyber security posture in the process.
An article in Fortune on Monday, March 23, 2015 highlighted a problem which could prove critical to organizations that deal with PCI (Payment Card Information); Why system testing, a critical aspect of data security, is worsening. Using numbers from Verizon’s 2015 payment card industry data security report, every major category out of the twelve measured improved, barring one – vulnerability scanning and penetration testing.
“With all the craziness that has gone on in the retail industry in the last couple of years, like the headline-making mega-breaches that hit goliath retailers like Home Depot and Target and exposed the PCI of tens of millions of customers, you would think scanning for vulnerabilities and testing cyber defenses would take a pretty high spot on the list of things to do for PCI reliant organizations,” says Joe Caruso, founder and CEO/CTO of Global Digital Forensics (GDF), a premier national provider of cyber security solutions headquartered in New York City, “but unfortunately, the results of Verizon’s study shows that unbelievably, that doesn’t seem to be the case.”
Regulatory compliance is not an option, it’s a necessity when a business deals with PCI
“PCI DSS (Payment Card Industry Data Security Standard) regulatory compliance was devised to establish ground rules for any entity involved in taking, maintaining, and/or using payment card information. And in those rules it is explicitly stated that organizations need to run a vulnerability scan at least once every three months, and a penetration test at least once a year,” says Caruso, “and if the organization lacks the expertise, tools or personnel internally to do it, and many do, a qualified third party vendor is supposed to be called in to get the job done right. The problem is, especially in the retail business, many of the decision makers find the prospect daunting for many reasons, like they think it will be an unruly and exorbitant expense, that they will have to devote internal personnel to the task full time, that they’ll experience too much downtime while the scanning and testing are going on, and all kinds of other thoughts which are really not the case. We’ve done hundreds of vulnerability scans and penetration tests for customers in just about every industry you can think of, from healthcare and financial institutions, to retailers and law firms, both onsite and remotely, and 99% of the time they are shocked at how easy, affordable, and most importantly, helpful the whole process is. In the end we will have provided a detailed remediation plan which lays out step-by-step what needs to be done to resolve any issues found. And it’s not going to take six figures or months to accomplish the scanning and testing, and they’re not going to have to shut down the business while we get the job done. If it needs to be done after hours, we’ll do it after hours, and like I said, we can often even do most of it, if not all of it, remotely. Our job is not to create stress, it’s to reduce it, which for any retailer should always be a byproduct of a significantly improved cyber security posture.”
Regularity is not only required, it’s essential for business survival in today’s digital world
“Threats are evolving every day, technologies changes all the time, new business needs and practices continuously emerge, and all of that has to be accounted for,” warns Caruso. “That’s what we help clients do, assess their vulnerabilities and test for weak links in their cyber security chain with proven state-of-the-art vulnerability scanning and penetration testing, from both an insider and outsider perspective. We can also assist in the emergency response arena, flexing an organization’s response plan to see how it stands up to real-world threats and isolate the shortcomings, and if a plan doesn’t exist, we’ll help them devise one from scratch. The biggest key is regularity, what would have worked last year will probably not stand up to today’s threat landscape, and what works today will undoubtedly be challenged by the threat vectors that evolve over the next few months or year. Like it or not, that’s today’s cyber reality, so either businesses have to be prepared to step up and play the game right, or pack up, take their ball and go home, because they will not win in the long run if they’re not ready to take the field on any given day. And in the world of PCI, losing that game can cost a business everything.”
*Global Digital Forensics is a recognized industry leader in the fields of computer forensics, cyber security and emergency incident response, with years of experience assisting clients in the government, banking, healthcare, education and corporate arenas. For a free consultation with a Global Digital Forensics specialist, call 1-800-868-8189 about tailoring a cost-effective plan which will meet your unique needs, without wasting resources on solutions you simply don’t need. Emergency responders are also standing by 24/7 to handle intrusion and data breach emergencies whenever and wherever they arise. Time is critical if a cyber incident has occurred, so don’t hesitate to get help. For more information, visit our cyber security page.