Christmas shopping is front of mind for many of us this time of year. Debit and credit card transactions make the whole process quicker, whether we're online or in the actual stores, but we need to remember that using plastic payment methods also puts us at greater risk for identity theft. Experts have repeatedly told us this month that we should be careful with whom we shop, and we should be vigilant about checking our statements to be sure nothing unexpected shows up.
The holiday season is also the perfect time for businesses that accept payment cards to examine their security practices, procedures and technology. Are all three things doing what they should? Are there weaknesses that need to be addressed? Are employees properly trained in how to handle card numbers and other customer information. Being certified as PCI compliant is one thing (and it's a good thing,) but as IT Business Edge guest contributor and Q1 Labs Senior VP Tom Turner ponts out:
While simply getting the compliance "check box" is a tempting option to the overburdened IT professional or line of business manager, it's in the best interest of the company to use the budget allotted for compliance to go above and beyond what is required in the mandate.
Turner goes on to say that going "above and beyond" what's required results in big benefits for the companies: In addition to avoiding hefty non-compliance fees, companies see additional business benefits... more efficient operation of a secure network and improved enterprise visibility, not to mention the millions of dollars they save by preventing data breaches and network attacks.
But the way the rules are drafted, they don't require much more than the check-box mentality. Turner suggests "the rule should really demand a higher level of intelligence be derived from the listed log sources."
In other words, companies should actually do something with the information found in the logs. But without log-review technology that will also distill the information into manageable portions and useful bits, doing something with it will be impossible, and the goals of compliance will not be met.