Why Is A PCI Review Not Enough?

Add Your Comments

(The Hosting News) – What is PCI: PCI is an acronym for Payment Card Interface. It is a set of best practice guidelines which are highly recommended by the PCI council primarily bolstered by credit card companies and payment processors and such. These guidelines suggest what practices and procedures need to be followed in order to secure sensitive information related to financial transactions by a website/organization when participating in e-commerce activities on the Internet. Some of the guidelines by the PCI standard specify what kind of venerability assessments must be carried out by companies, guidelines on how financial data should be stored and transferred and more.

Is it any good: Yes, a lot of the recommendations make good sense. Consider quarterly vulnerability analysis, encrypted storage of credit card data and usage of cryptography while transferring any such data and much more. The recommendations aim to provide a baseline to companies in order to secure the valuable data that they store. Keep in mind though that the PCI compliance document was written to make it relatively easy for most companies to comply with.

It is a popular misconception that getting a quarterly PCI scan will afford the owner of some online infrastructure or services, to kick back and relax. This is far from the truth. It is true though that getting a vulnerability scan done for your website and infrastructure will allow you to pro-actively fix security issues hopefully before hackers break in. And just in case you are thinking, “my website is impenetrable”, consider the fact that in the last year alone, we at Stopthehacker.com have documented a 100% increase in the incidents of web-based malware affecting various websites, hosters and e-businesses than the previous year. More than 6,600 benign, legitimate website get hacked everyday. Statistically, there is a good chance of some of these being PCI compliant too.

Why is a quarterly review not effective:  Getting a vulnerability review done on a quarterly basis is a good first step. However, with the current spate of polymorphic web-malware traversing the Internet today, combined with the speed at which vulnerabilities in software used to design and host websites are being released, it is near impossible for most kinds of vulnerability scanning to keep up. Doing quarterly scans are not enough.

Given that we see thousands of samples of web-based malware everyday, which are very different from the malware that actually infects a PC, it is only a matter of time before weakly protected websites are compromised. To handle this situation, a constant monitoring service to alert you about intrusions to your website can prove to be helpful. The 24×7×365 monitoring alerts users to the fact that a piece of malware has made its way through the defenses of a site, the site owner is the first to know about this and can take immediate corrective action. PCI policies “suggest”  this kind of monitoring services.

What can you do:  As a hoster, you can keep your customer websites safer by taking advantage of new emerging, website “Health Monitoring” solutions. This kind of new technology, based on advanced AI and self-learning mechanisms can scan websites with minimum interruptions, is totally SaaS based and uses advanced machine learning to catch never-before-seen malware. This is a significant break from the way most traditional Anti-Virus software work. Keep in mind, PCI certifications are important, but they are not enough.

Usage of new emerging technology such as on-demand web scanning can help hosting companies identify rogue websites on their networks, protecting their reputation. It can also turn into a golden opportunity to increase recurring revenue and distinguish one’s self from the competition. For more details please get in touch with us at Stopthehacker.com .

Source: Why Is A PCI Review Not Enough?

Add Your Comments

You must be logged in to post a comment.