点缀我的并横穿​​t:

如何在时代保持数据安全

无穷无尽的信息

歌手和文化现象Lady Gaga可能会在她吵架时最好地说到这一点,“信任就像一面镜子。如果它被打破,你可以修复它,但你仍然可以看到[它]反射的裂缝。“

人们对他们选择联系的人施加了很多信任。从他们的朋友和家庭到他们每天都有业务的公司,任何时间都会出现一定程度的风险。

这个人是否会告诉令人尴尬的秘诀与他们所知道的每个人分享它?希望不是!但是,他们给出了他们去吃午餐的餐厅的信用卡信息怎么样?是他们与该概念共享的信息,包括个人数据和信用卡号,受到保护吗?

失去客户信任的风险是一个非常真正的问题,可以是沙袋企业,玷污他们的声誉并每次攻击成本上数百万美元。

根据IBM的数据违约报告,平均违规费用仅为400万美元的业务,并影响超过25,000条记录的数据。

In the restaurant industry, the list of brands that have been hit by cyber-attacks includes heavy-hitters like Checkers and Rally’s, Applebee’s, Dunkin’ and Panera Bread… and that’s just since 2018. Unfortunately, while brands like these can pick up the pieces and quickly move on despite a somewhat bruised image, for smaller concepts the damages can be much more severe.

PCI DSS, PA-DSS, and EMV, which are industry standards, and SOC 1 and SOC 2, which are audit and attestation standards, are in place to protect merchants, guests, and issuers from increased risk and liability in the case of a data breach or accidental release of information. These constantly evolving standards cover not just guests and merchants, but processors and issuers as well.

有什么赌注?

根据PCI PAL的说法,估计44%的美国人表示,他们已经被禁止在安全违规行为中。更进一步的是,大约一半的美国人在PCI PAL调查中表示,如果公司经过经过经常审计和增加验证系统,他们会感到更加舒适。

Following several large-scale security breaches, including Facebook, Marriott, and Equifax, customers and industries alike are keeping a closer eye on compliance structures and doing their best to ensure data is protected at all costs.

不幸的是,违规是一种常见的事件,并且客户非常认真地采取普遍存在。PCI PAL的数据表明,5美元的美国消费者将根据他们信任公司的程度来改变他们的支出。接近美国消费者的90%表示他们不能相信他们的信息受到公司的保护。对于不遵循EMV,PCI DSS,PA-DSS和SOC 1和2标准的业务,风险远远超过了他们可能收到的任何福利。

当黑客窃取财务和个人信息时,企业不仅仅支付罚款并远离事件。由于罚款,处罚和法律费用,他们不仅失去了金钱,他们会失去未来的收入,因为客户无法信任他们的信息或其手将最终进入的地方。

违规可能会伤害公司的善意,这主要是与品牌名称,声誉,客户群以及与员工和客户的关系相关的货币价值。虽然商誉的价值不容易定义,但它是在公司当前净值的顶部计算的。在攻击之后,品牌的商誉可能会受到击中,降低其当前价值,并在一段时间内翻倒它的形象。

下行,这些品牌也可能面临着更高的成本,以确保由于审计员的审查提高而遵守,失去了接受卡支付的能力,甚至因财务压力而完全脱离业务。

It makes sense, though. Let’s say you got pickpocketed the last time you went to the park by your house. Most likely, you’re going to think twice before going back to that park. It works the same way when customers consider what companies they do business with. For some people, they may wait a few months before going back, but for others, the lack of safety and trust will prevent them from ever returning.

合规性有几种形式,但所有这些都是保护客户数据的类似债券。有些是外部审计实践,即企业用于验证其控件(SOC 1和SOC 2),而其他人则确保数据始终是安全的(PA-DSS和PCI DSS)。付款卡本身也严重采取数据保护,在美国许多卡片发行人。2015年底,在2015年底使EMV是合规性标准。

每种类型的顺应性都执行不同的功能,但所有类型的函数都为运营商和客人提供了无与伦比的保护级别,作为全网络安全计划的一部分。

PA-DSS和PCI DSS:要知道的内容

PA-DSS,也称为支付申请数据安全标准和PCI DSS,支付卡行业数据安全标准,是支付卡行业安全标准委员会的规则。虽然两个首字母缩略词看起来相似,但它们涵盖了两种不同部分的付款过程。

PA-DSS程序和合规标准与应用程序相关联,供应商必须确保其软件满足14项严格标准。其中包括保护持卡人数据,确保不保存卡验证代码,执行正确的测试以防止发生漏洞,确保持卡人数据永远不会存储在Internet连接的服务器上,以及其他几个要求。员工培训和其他内部政策方案亦属于PA-DSS指南。

So, why does it matter if an application has PA-DSS certifications? Achieving and exceeding those standards shows that a business is adhering to stricter standards than those without the designation. For customers, it means they can choose to work with vendors and vendor software that will keep their data safe and always properly handle their credit card data.

对于那些不熟悉的PCI DSS的人来说,标准是在2000年代初开发的,以帮助解决在线发生的盗窃和欺诈案件。购物者渴望利用电子商务,但在线购物和付款也成为黑客的主要目标,而其他人希望捕捉有价值的信用卡信息。

2004年12月,五大信用卡领导人,包括签证,万事达卡,美国运通,发现金融服务和JCB国际,推出了第一版PCI DSS,并开始持有新标准负责的商家。

“PCI DSS是支付卡行业颁发的数据安全和系统运营标准,因此大信用卡发行人,”Leonard Redles,Par的发展总监“表示。“当您处理信用卡时,它们基本上是一套安全系统措施和操作业务的方法,以最大限度地降低他们将数据被盗的风险,并且您将信用卡号盗窃盗窃。当你去获得认证时,你同意你要去的很多技术的东西。“

到2006年,PCI安全标准委员会成立并定期更新标准以来一直出现。与谷歌如何不断更新其算法,使用户可以获得最佳体验,而PCI标准是开发和改进的,以确保所有客户在违规方面受到保护。目前,最新版本的PCI DSS是3.2.1版,2019年5月发布.PCI DSS是一个难以获得的认证,并要求公司提起各种自动化系统和编纂实践来控制流量,存储并访问其数据和系统。

“We make recommendations through our implementation guide for Brink about how to make sure you have a secure store environment but having that PCI secure environment is the merchant’s responsibility,” Christine Fuchs, PAR’s Sr. Product Manager, said. “Normally, if a customer is buying a POS system, they should know to go to the PCI Council site and look up that vendor. Of course, the desire would be that they are purchasing a POS system with the latest certifications.”

When a company is audited under PCI DSS regulations, several areas are closely scrutinized to ensure data is protected from cradle to grave. This includes everything from the people who process, store and transmit cardholder information, to servers, network infrastructure devices, data centers, individual workstations, and the application itself to determine where any failure points may arise.

每次将卡片滑入付款设备时,每次都会传输很多客户数据。根据PCI SSC的说法,从人的帐号和将支付卡的信息识别到磁条数据,引脚和其他信息的所有信息都需要受到处理它们的企业的保护。

Although PCI DSS does a lot to ensure payment transactions are secure, this is only one of several touchpoints in the process. Even if the processing and POS software are both credentialed and fully tested to meet rigorous standards, merchants might not always be as careful. Those who fail to keep up with requirements may open themselves up to several problems if a data breach were to occur.

“我们有ISO [国际标准化组织]程序,我们将遵循我们遵循的程序,如果商人应该向我们报告违约行为,那么我们与任何当局合作,任何当局都参与了这种违约措施,”Fuchs说。“如果商家要报告违约,那么我们将立即由我们的法律团队处理,并且有一个过程和他们遵循的程序。如果应该发生的事情,他们会收集来自公司周围各部门的信息。“

当然,正如Leonard Redles的诉讼局长伦纳德所说,最好的公司通过维护其合规性,最好的公司可以尽量减少对自己和客户的伤害。这些公司压力安全,并投入将其产品和程序保持最新和密密密封的时间和金钱,并防止违规行为。

“These are pretty much the core tenets that people want when you’re talking POS. They want PA-DSS, even if the application doesn’t have credit card information. They want to know that your application has been certified to be a POS application. PCI DSS, those standards aren’t just for credit cards, but have benefits for all the data that you have and system security overall.”

PCI和EMV:共同努力减少欺诈

虽然PCI合规性归结为一堆常见的惯例,但要阻止您的数据进入盗贼的手,但是商家今天使用的另一种保护以保持您的号码安全。

EMV代表EuroPAY,万事达卡签证,是一套涵盖支付卡数据的指导方针。在这几天的大多数信用卡上,更重要的是,由于2015年的EMV标准授权,您可能会看到芯片。在该芯片上是您的付款数据,每次卡用于购买时都会向发行人发送唯一消息。这一想法是,这些独特的代码和验证措施包括芯片和引脚或芯片和签名技术,如果最终在错误的手中,将呈现支付信息无用。

虽然PCI和EMV瞄准了两种不同领域的支付过程,但FUCHS表示,一些商家才能采用EMV技术缓慢,主要是由于财政限制。

“它在2015年成为一项授权,许多商家才能最初采用它,但现在正在获得更广泛的验收,正在成为一个标准,”Fuchs说。“人们采用它很慢,因为它会花钱;您必须为每个商店购买设备,以便涉及成本。

For those who have been slow to adopt it, if they go through PCI audits, meaning they use an external audit company to come in and audit their stores, it is possible that their external auditor has given them a deadline that they need to move to an EMV solution.”

虽然在符合EMV兼容解决方案的投资成本起初可能看起来令人望而却步,但成本可能低于使用客户数据播放俄罗斯轮盘的费用远远低得多。据顾客介绍,不合规的成本因发行人而异,但一些公司已经开始充电,这些商家没有能力的单位。更糟糕的是,在违约的情况下,即使商家遵守PCI标准,也不会使EMV不符合任何风险。

“如果他们在他们的商店环境中有一些东西导致违规行为,它可能是他们的错,”Fuchs说。“但是[成为EMV和PCI兼容]将大大降低您承担责任的机会。目的是删除责任,这意味着我们提供的责任。但如果他们在商店环境中有一些东西,那么也许可能与他们的网络不安全,允许违反发生的事情,这将是他们的错。“

The liability shift from issuers to merchants regarding EMV was meant to push more merchants into adopting chip card technology, which has been successful in reducing card-present fraud since its introduction in the United States. Visa announced in March 2018 that merchants who upgraded their card readers to accept chip transactions saw a 76% reduction in counterfeit fraud dollars during a period from December 2015 to December 2017.

对我来说:SoC 1和SoC 2的案例

除了PA-DSS和PCI DSS以及服务组织控制,或SOC,还向公司应制订的SOC,以记录其内部政策。SOC 1和SOC 2报告旨在记录业务的财务报告政策,但也可用于解决收集敏感信息的其他领域,包括人力资源等领域。

Redles says SOC audits are important for companies to maintain because it ensures their operations are secure against threats of any type.

“1是通过审查所做的系统数据,样本,策略和实际的事项,您拥有控件和类型2是外部审计员验证,”Redles表示。“他们只是不同类型的审计。您可以获得一些不同程度的证明,您可以获得您的公司政策。您必须创建一定程度的策略,以满足最低要求,然后您可以创建任何您想要的额外策略。他们证明您在审计的核心原则周围拥有每个策略文件,您正在遵循您的进程,它们足以保护您拥有的数据并维护系统安全性。“

通常,SOC 1报告涵盖内部控制和财务报告。另一方面,SOC 2涵盖非财务控制,包括系统安全,隐私和敏感数据的安全性。两份报告都由美国认证会计师协会(AICPA)信托服务标准管辖,该公司涵盖了从安全和可用性来处理完整性,机密性和隐私的一切。

两个SOC 1和SOC 2报道类型1和类型2 versions. In each case, a type 1 report looks at a company’s security or financial processes at a certain point in time. Type 2 reports, however, analyze a business’ controls over a span of at least six months. To muddy the water more, there are also SOC 3 reports, but those contain the same information one might find in a SOC 2, but in language that is a lot easier for general audiences to understand.

SoC报告共同努力为客户提供一定程度的救济,知道他们委托他们的数据使用它适当使用它并具有正确的内部控制来保护它并保持私密。

“For PAR, it was proving that we don’t give data away, we properly secure it, we have all the right controls in place, rotate passwords, rotate encryption keys, use MFA to connect all our remote systems, etc. It also ensures we have proper security procedures in place, teams that review everything, automated systems that maintain system security, and employees watching.”

任何与蓬勃发展的软件有关作为服务的公司或SaaS,模型都是SoC 2的主要候选者,主要是因为它直接连接到软件安全性。由于近年来,由于其日益增长的流行度,在云中存储客户数据的公司也需要成为SOC 2符合标准。

“SoC 1和SoC 2实际上只是证明您的组织有适当的程序和政策,并且足够关心,以创建它们并努力遵循它们,”解释说明。“那么,如果你不愿意做任何在今天的世界上的任何常见的事情中,那么任何赚钱和卖给更大客户的公司,那就让你质疑他们在做什么。”

但是,尽管SOC 1和SOC 2审计和合规性成本,但Redles认为,这些企业的额外安全和信任是足以超过所需的工作。

“它让你减慢了,必须保持这些事情,但同时,安全并不是方便,”Redles说。“方便安全不是安全性。”

并非所有客户数据都是财务,但它仍然需要保护

We’ve talked a lot about what companies are doing to protect your financial and payment card information, but it’s more than likely you have a lot more data floating around on the internet than those all-important 16 digits. Data is one of the most valuable assets a company can get its hands on, and in many cases, we’re more than happy to provide it to them in exchange for something we want.

是否是您最喜欢的在线商店的15%off优惠券,或者不能错过你必须掌握手的白皮书,我们通常与我们信任的公司的个人信息分享我们的个人信息。但是,一旦我们递交已经成为越来越多的法律的主题,这种数据会发生什么意味着控制它是如何使用的,并且可以访问它。

商业不仅在美国但全世界的公司都会通过如何保护他们所收取的宝贵数据,同时为消费者提供控制一旦收集到他们信息会发生的权力。这种推动力增加隐私将更多的权力转移回消费者,并增加了安全措施,以防止他们的信息在错误的手中结束。

GDP.

如果你住在欧洲联盟,你可能会遇到这四个字母的首字母缩略词超过几次。一般数据保护规则或GDPR于2018年5月成为官方官方,并基本上通过标准化在欧盟的企业在为消费者提供更透明的过程中为客户数据收集客户数据而基本上将隐私和数据收集拖累到21世纪。

Today, when a customer provides consumer data in exchange for a newsletter, product demo, coupon offer, webinar or anything else, several steps need to happen. One of the biggest changes is that now companies must obtain consent using clear, concise language. Businesses are no longer allowed to confuse consumers with policies jam-packed with legalese. Instead, conditions must be clear and concise, allowing consumers to freely consent to what they’re doing. They also need the right to freely take back their data at any time; this is known as the right to be forgotten.

GDPR的其他酷炫功能包括当他们请求它的任何时间访问其数据的权利,纠正不准确的数据,填写任何不完整的个人数据,甚至在他们选择的情况下共享您与其他公司收集的信息。

在处理客户数据方面,公司也持有高标准,并授权他们始终拥有安全协议来保护该数据。在违约的情况下,GDPR也有消费者的支持,如果可能的话,要求公司提醒客户和任何数据控制器的问题。如果公司拖着脚,他们可能会面临重金属。

虽然一些欧盟国家对违规公司的征收罚款采取了更为适度的方法,但英国出现了摆动。In July, the UK’s Information Commissioner’s Office (ICO), issued a release intending to fine British Airways more than £183 million for a breach the company reported in the fall of 2018. The very next day, the ICO issued a second release intending to fine Marriott International just shy of £100 million for violating the GDPR. Although the governmental agency suggests the data breach possibly occurred in 2014, the issue wasn’t reported until late in 2018.

有趣的情况是与国际豪华议员的情况是管理机构严格对池塘的一面保持罚款。相反,他们正在争取违反其标准的任何业务或实体。对于目前未能遵守这些条件的公司来说,他们承担了非常真实的风险,抑制了看涨的组织注意力,这些组织以任何成本保护消费者数据。

CCPA

如果您认为欧洲联盟是唯一推动更严格的数据安全法律的政府实体,那么您却令人难以置信。一个不需要看起来比我们的后院更远,因为加州被设定为实施一系列直接竞争欧洲的数据保护标准。

加州消费者隐私法案遵循GDPR的许多相同的宗旨,但确实具有一些与众不同的区别,使其独特。According to the National Law Review, the CCPA, which takes effect January 1, 2020, will allow consumers to know what data of theirs is being collected, whether it’s being sold or disclosed to other third-party companies, opt-out of having their data sold and make it easier to sue companies in the wake of a data breach.

法律还提供了12个月的回顾规定,这意味着如果消费者请求访问他们的个人信息,公司将需要提供他们在所要求日期之前覆盖全日历年的所有数据。

While the CCPA is meant to protect California residents from companies misusing or losing their personally identifiable information, the law impacts businesses across the United States. According to the law, any business with annual gross revenues totaling more than $25 million falls under the law, as do companies that earn more than half their annual revenue from selling consumer information to other businesses. Other businesses falling under CCPA rule include those that collect personal information and any business in the state of California (which includes thousands of entities).

CCPA有很多活动的部件和部分,但主要的想法是所有数据都需要受到保护,无论它来自哪里或它正在使用什么。尽管看起来很像欧盟的GDPR规则,但CCPA确实带有一些独特的保护,使加州的消费者提供更多权利。与通常只涵盖消费者数据的GDP,CCPA还可以更进一步并保护家庭数据。CCPA还允许消费者因任何原因要求数据删除。这是从GDPR指南的主要偏离,如果它在六种特殊概述的原因之一中符合人们才能删除删除请求。

通过扩大规则,为消费者删除他们的数据来包括任何原因,它从依赖于销售或与其他公司销售或分享它的大型企业中的权力,并将其送回那些直接受这些行动影响的人手。通过减少与采取法律行动相关的繁文缛节的数量来补偿违规和其他滥用时,CCPA还将消费者提供更多牙齿。

安全的未来

今天对于科技公司来说还不够,只是说他们遵循指导方针,而不是采取适当的行动,并保持和维护他们的认证。虽然2018年的数据泄露数量与2017年下滑,但含有个人可识别信息(PII)的消费者记录数量增长超过126%,超过44600万次记录。

在互联网上自由流动的信息,它比以往任何时候都更加重要,以便与企业和供应商一起攻击,以保护免受攻击的信息。无论是如何进行黑客尝试,也是由无粗心员工造成的未经授权的访问甚至意外曝光的情况,客户应该让他们的数据私下和潜在攻击者的手中。

And if the threat of a foreign government or hacking group doesn’t scare you, consider this; the kinds of threats moving forward are likely going to become even more complex and clever. For example, attackers may latch onto artificial intelligence, using the massive amounts of data collected by machines to target vulnerabilities in networks or use its audio/video capabilities to create lifelike emails to fool someone or share misinformation with the public.

世界各地的政府组织正在通知数据如何从消费者转移到企业,并正在慢慢改变规则以反映当前情况。通过更容易被遗忘,访问个人数据并确保正常安全,常规公民现在有一定的保证,保护他们免受错误。虽然这可能不会阻止发生所有违规行为,但它确实增加了近年来一直缺乏的安全和问责制。

Companies also benefit by way of avoiding costly penalties, fines, and lost customer trust. As the famed inventor and statesman Benjamin Franklin once proclaimed, “An ounce of prevention is worth a pound of cure.” None of these certifications are cheap, and all are time-consuming to earn and maintain, but the cost of losing valuable customer trust, and possibly revenue, because of a singular costly mistake is a risk that, for most companies, isn’t worth taking.

额外的资源:

https://www.plantemoran.com/explore-our-thinking/insight/2017/08/five-risks-for-pci-dsss-non-符合https://www.pcisecurityaldards.org/document_library.

https://www.pcisecurityaldards.org/pci_security/why_security_matters.

https://www.ibm.com/security/data-breach

https://www.fastcasual.com/blogs/is-your-restaurant-data-breach -pref/

https://www.forbes.com/sites/suzannerowankelleher/2019/04/04/the-latest-big-data-breach-shourcoul-make-you-rehink-how-you-pay-for-ever ything /#280c17bd4e4b.

https://www.pcisecurityaldards.org/pci_security/why_security_matters.

https://www.pcipal.com/wp-content/uploads/2019/09/This-is-The-World-PCI-Pal-ebook-DIGITAL-USA-v1.pdf

https://www.creditcards.com/credit-card-news/emv-faq-chip-cards-answers-1264.php.

https://fattmerchant.com/blog/brief-history-emv-technology/#targetText=The%20first%20version%20ofEMV,with%20POS%20systems%20for %20authentication.

https://securityintelligence.com/difference-pci-dss-pa-dss-payment-application-vendor-thinkappsec/

https://blog.truedigitalSecurity.com/blog/emv-vs-pci.

在partech.com上了解更多信息

标识徽标