PCI DSS Compliance Tool for Log Analysis and Reporting

PCI DSS Compliance Tool for Log Analysis and Reporting

Secure Cardholder Data with PCI DSS Compliance Tool

In August 2019, reporters began flocking to Chooseus Life Insurance’s head office in Detroit after news leaked that thousands of the company’s customers had lost money due to a security breach. The CEO of this life insurance company released the following statement: “We have had your trust for two years. Please give us 48 hours to identify the source of this theft and take the necessary measures to reverse what has happened.”
With all the newly emerging forms of cyberattacks, the source of the attack was difficult to identify right off the bat. From a black hat sitting on the other side of the world to an insider attack or any customer who unknowingly installed malware on their device, the possibilities were endless. And with more customers losing their money, the situation was getting out of hand.
A team of IT security experts hired by the company discovered that Chooseus Life Insurance, a fairly new company in the market, had yet to become fully compliant with the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS presses all businesses that accept, process, store, or transmit credit card information to maintain a secure environment in order to protect customers from losing their card details and getting robbed. This security standard requires merchants to protect cardholder data, maintain a vulnerability management program, implement strong access control measures, regularly monitor and test networks, and maintain an information security policy.
A glaring issue found at Chooseus Life Insurance was that every employee had unrestricted access to all company data, including sensitive information like cardholders’ details. There was no access control to critical data, which is not compliant with PCI DSS clause 7.1.

After a quick scan, the IT security experts identified the source of the attack—the compromised account of a sales executive. Upon further investigation, they learned that the sales executive had left his laptop open in a hotel lobby while on a business trip, leading to a computer expert with malicious intent to obtain access to his account and the sensitive data. The hacker got the credentials of this sales executive’s account and robbed customers using their cardholder information remotely. This means that anyone could access the confidential data with just the required credentials, violating PCI DSS clause 8.3.2.

This brings us to the question: Are companies around the world aware that they need to fully comply with PCI DSS? Verizon’s 2019 Payment Security Report indicates that 63.3 percent of businesses did not fully comply with PCI DSS in 2018. One of the major reasons for this is that PCI DSS compliance is a very technical subject to understand and gets pushed down the priority list. Some companies that do comply with the standard fall out of it right after an audit.
Organizations need to understand there is a direct link between being PCI DSS compliant and the ability of the organization to defend against cyberattacks. Third-party audit solutions helps companies audit and generate reports on parameters like logon success and failure, changes made by privileged users, file access, and file creation and deletion, all of which are important for PCI DSS compliance. Real-time alerts can make all the difference between a safe network and a breached one. 


    • Related Articles

    • What we've Learnt from GDPR

      GDPR’s stringent regulations have ensured businesses can no longer be ignorant about how they obtain, process and store data. Now businesses need to have a legitimate reason to collect and use data. They also need to delete the data once its intended ...

    • General Data Protection Regulation - Explained

      In 2012, the European Union (EU) lawmakers decided to modernize the data protection and privacy rules present across the 28 EU state blocks. The proposal was drafted to boost individual rights and give consumers greater control over their data in ...

    • Cybersecurity Trends to Lookout for in 2021

      Current trends in Cybersecurity: Blockchain, biometrics, GDPR and more In this digital age, all our online activities leave trails. In spite of privacy-related incidents that have affected businesses and individuals alike, very little has gone into ...

    • Enterprise Single Sign-on: Key benefits

      What are the Driving Factors for Enterprises to Deploy Single Sign-on Solutions? Single sign-on (SSO) is an authentication service where one set of login credentials is used to gain access to multiple independent but related applications. Using ...

    • Why is Multi Factor Authentication Important?

      In the real world, proving your identity is easy and straightforward. When you show up in person to open a bank account, or book a hotel, you present your government-issued ID so that the company you are dealing with, can physically see that you are ...