Step by step, the payment card industry - data security standard requirements have sought to eliminate breaches and theft. Many of these requirements are easy to implement or utilize basic encryption practices that are standard in online transactions. Companies that protect credit card data benefit from years of best practices, but the landscape in cybersecurity is always changing.
Preventing credit card information from getting into wrong hands ends up being a hurdle race for businesses: as hackers learn how to run faster and jump higher, the hurdles must be that much harder to get around. And that's the greatest advantage from PCI-DSS compliance: Each element puts up significant obstacles that hackers must overcome, either stop them before anything happens or trip them up long enough to recognize the breach and react.
Six categories cover methods to protect employees as well as fundamental processes (such as encrypting the data, which is an excellent idea for obvious reasons). The building, maintaining, and monitoring a secure network is no small undertaking. But there are plenty of capable security specialists and services out there that will do that.
But perhaps the most overlooked element of compliance is logging in. Whether it's an administrator or a customer, simple password-based credentials alone aren't enough to secure such valuable data. Multi-factor authentication has been part of the requirements for some time, but it's also the grayest area since many secondary factors leave a lot to be desired.
The area that concerns the correct party and only the correct party can access credit card information falls under implementing strong access control measures. This compliance standard is broken down into three general requirements: restrict access to cardholder data by business need-to-know, assign a unique ID to each person with computer access, and restrict physical access to cardholder data. All of these aim to make logging in a fundamentally safer, controlled action.
There are plenty of challenges with these measures that face retailers as well as customers. For one, the landscape of IT security is constantly changing and the “strong access control” measures used today might not be the case soon. While the requirements mandate using the three traditional methods of two-factor authentication — something you know (a password), something you have (a token), or something you are (biometric information) — there's still the issue of implementing these effectively without turning away customers.
The main problem with these additional security measures is that they would boost security, but the subsequent change might be at the expense of lost customers. Introducing two-factor authentication for regular customers may significantly reduce the usability of e-commerce websites. While it's easier to calculate the damage from fraudulent transactions, loss of profits from potential user drop off or failing to complete transactions are revenue losses that are much harder to assess.
PCI-DSS specifically requires that at least two of the three authentication methods are implemented, as long as they function independently from one another. The whole point of having a second (or third, or fourth) factor is that they don't inadvertently compromise one another. The most common of these factors, and arguably the most ineffective and obsolete are usernames and password pairs.
In fact, usernames themselves pose a huge threat in regards to storing financial data. From a security point of view, use of open and unprotected information — which in most cases is personally identifiable information — as the first factor in the log-in process, is one of the major risk factors.
Huge lists of usernames, which in some cases are simply user and customer's real names and email addresses in, are widely available on the dark web for a fee. With lists like these, hackers often get easy access to randomly selected accounts. When it comes to targeted attacks, purchased lists of usernames make an easy target. Usernames not only compromise credit card data but other customer data that can subsequently cause a domino effect of breaches.
How to stop this? It's relatively simple to integrate username-less sign on that fit the “something you have” criteria. Smartphones, for example, are something almost everyone has, and they can offer much better security that complies with the PCI requirements.
Even the language within the new version of compliance specifies multi-factor over two-factor, justifying the use of the correct factors of authentication, not just convenient ones that make marginal security improvements at best. Innovative and high growth merchants would benefit tremendously from finding ways to take advantage of username-less authentication methods.