We hear from Reliance acsn QSA, Shaun Wakefield, on a recent experience that left him questioning how common the mishandling of card data is.
Being asked to email your card details to gain a refund is not a great process but is something I was asked to do recently. Why not, you might ask?
Email systems do not by default encrypt any data. It is very hard for an end user to delete, let alone, securely delete emails.
This practise, if your organisation does this, is bringing many connected IT systems – including every desktop in your organisation – into your PCI DSS compliance scope. Whilst you can do this and be compliant, most organisations find PCI DSS too onerous for all systems to be in scope of their compliance.
If you are breached you will need to pay fines, conduct forensic analysis of the systems that were breached, and once that is finished, become PCI DSS compliant within 30 days. You will have to engage a Qualified Security Assessor and go through a full Level 1 assessment. Do the wise thing and get some advice on how to achieve compliance with the PCI DSS standard.
For more information on the achieving or maintaining PCI DSS compliance, contact us today at firstname.lastname@example.org or on +44 (0) 203 872 9000.
Shaun Wakefield, Senior Security Consultant
Shaun has over 20 years security, network management and ISP experience. For the last 8 years Shaun has been assisting organisations across the World understand their security challenges, and help them to instigate pragmatic controls to appropriately control risk.