When entrepreneurs begin a startup, PCI compliance may not be their first thought. The focus is on getting big ideas to the masses, but those that get ahead understand the need to build their entire business correctly, from the ground up.
A key item to think about at the start of a business is how to handle and secure sensitive data. If you accept, store, process or transmit cardholder data, you are probably aware of the PCI compliance standards that must be met.
Maintaining compliance can be a struggle for startups, especially while they are growing. If their infrastructure isn’t based on a sound design from the start, it will need to be rebuilt at some point. The larger the business grows, the more difficult and time-consuming it will be to make the fundamental changes required.
Every business needs to protect its trade secrets, privacy and reputation. It is far easier to design technology infrastructure around compliance program requirements than to change it after it has grown. In fact, many startups that make this mistake can spend one or two years implementing fundamental design changes to meet compliance requirements.
Building infrastructure with compliance in mind from the start gives you one more edge over your competitors, so you can focus on scaling your business while they struggle with painful rebuilds.
Here are the things you need to know about security and PCI compliance to make sure your business is protected and stays attractive to your investors as it grows.
Find a qualified security assessor to rely on. A great first step to get your startup focused on security and compliance is to partner with a qualified security assessor. A QSA has been trained by the PCI Security Standards Council to help businesses conduct assessments on how they handle credit card data. These assessors are especially helpful to a new business because they will have seen working solutions to the most daunting compliance requirements. Their talented team able to help identify the most appropriate and scalable solutions for your business.
Take time to design and segment your networks. You don’t need to hire a full-time network expert, but investing in network design services upfront saves you time in the long run. With a good fundamental design in place, it should be a natural and painless transition to move from professional services to your first full-time network administrator. With sensitive data constantly in transit, networking segmentation is critical. Segmentation is one of the most effective ways to reduce the scope of a PCI audit, which will keep costs, attack surfaces and risk to a minimum.
Use firewalls. Setting up firewalls between network segments is an important step to keeping data secure, and is required for PCI compliance. Leveraging firewalls allows you to ensure segregation of networks that house sensitive data from those that don’t. Once in place, firewall event log monitoring is important to ensure everything stays secure. Multiple layers of protection are best when it comes to protecting your networks from hackers. Remember that firewalls are your best way to implement complete segmentation on your network, which can significantly reduce the number of systems in scope for audits.
Limit access to sensitive data. Sensitive data that needs to be stored should be accessible to the fewest employees possible. Only provide an employee access to your data if they need it to do their job. Choose your most trusted employees to provide access to your data. If there’s no business need for others to access sensitive data, then there’s no need to provide credentials. Access can always be granted later when your business grows and you need help managing the data.
Tokenize card data. When it comes to protecting data during a credit card transaction, tokenization can provide the maximum level of safety from a breach. If a hacker gains access to your system, but all of your account numbers are tokenized, the exposure is minimal. Tokenization replaces sensitive information with a mathematically irreversible token, so the only thing left on your system is a unique code that has no intrinsic value. Having this as a part of your payment solution not only protects you from hackers but also saves time on PCI compliance.
Consider what you need from a payment vendor. When it comes to payment vendors, consider how much of your payment flow you want them to handle. There are vendors that have a whole suite of solutions, from API websites and card-present transactions to hosted payment pages. Consider which type of payments you are planning to accept now and in the future. If you are launching a website, but plan to operate from physical locations in the future, investing in a vendor that has a variety of payment solutions is best. These vendors can grow along with you. Often small businesses make the mistake of having two different payment service providers because they weren’t thinking about their long-term needs. Using a disjointed payment solution adds operational overhead and risk.
Monitor your networks. Once networks are designed and implemented, it is easy to neglect proper monitoring. You can choose to monitor events yourself using tools like ELK and Splunk, but it can be a better idea to outsource this during the early growth period using services like Rapid7 and AlienVault. If you have your own security product suite, managed security service providers can help you get the most out of your investment by augmenting your security staff with experts in engineering, content development and operations.
Vulnerability scanning and patch management. Get familiar with doing vulnerability assessments early and often. Vulnerability scans are important because they can quickly identify known exploits that criminals can use to gain access to your systems. Vulnerability assessments can be conducted with vulnerability scanner software products like OpenVAS and Nessus, or through third-party vulnerability management services. The results of these scans can be used to identify and prioritize necessary software patches. These tools and services help bring your largest vulnerabilities to the surface and lower your overall risk in a significant way.
Secure your endpoints. File-sharing and collaboration suites has become a popular and easy way to share information quickly between colleagues. Startups usually find these tools incredibly useful, but their use can open up new threats. It becomes crucial to ensure protection of user laptops and other endpoints. Find and use managed tools like CrowdStrike or Carbon Black to help with endpoint protection.
Control your cloud products. Startups leverage a variety of cloud products for productivity and collaboration. Limit access to your preferred vendors with a secure web gateway. These proxy services can reduce “shadow IT” and help you control where your data resides. Cloud access security brokers will control how cloud services are used and where your data goes.
Code review. More than three-quarters of websites scanned over the past three years had open vulnerabilities like an outdated operating system or plugins, says the 2016 Symantec Global Cyber Security Threats, Trends, and Insights Survey. Before your website goes live, there are checks and balances you should go through. Code analysis tools like Veracode can help ensure your internet-facing code doesn’t contain software errors that can be exploited.
Configuration management. Standardize computers and other devices from day one. It is easy to just send someone out to purchase any computer when you need one, but having all your users on the same make and model device allows for easier management. They can all be configured and managed in the same way.
Support for compliance programs needs to come from the highest levels of leadership. When this support is absent, compliance programs ultimately fail because other business initiatives are constantly prioritized ahead of compliance.
As your infrastructure grows, it can become a challenge to make fundamental changes. Therefore, in the short term, it is important to choose technologies that can be easily extended or replaced down the road when a more robust solution is needed. In the long term, fine-tune solutions that you already have in place by extending their functionality or replacing them with other solutions that can handle the increased network growth.