With data breaches from leading companies occurring on a frequent basis, from Anthem to Home Depot to the U.S. Government, the topic of IT security continues to take center stage across all industries. For companies involved with banking or credit card payments, developing and maintaining a secure payment solution requires us to think outside the box.
Companies need to think beyond passing an annual audit for PCI DSS compliance; it’s limited in scope and focused on a sampling of systems to ensure compliance with 330 requirements. Ultimately, you are judged by keeping your customer data secure and avoiding the security breaches that we read in the news on a frequent basis.
The objective of a secure payment solution needs to hone in on your culture, processes and relationship with your partners.
Step 1: Develop a Culture of Security
Too often, we see security or compliance projects executed as a painful “one-off” initiative that impacts all active systems and in-process development projects. Teams often stop work to participate in a security project that, in the end, amounts to a “check-the-box” exercise, enabling an organization to declare an audit was passed. Or, the security project throws a wrench in a production system or ongoing project, as mediation takes up vital resources, pushes out project time lines and overruns budgets.
A better approach involves changing your internal IT culture and relationship with vendors to embrace and include security in all aspects of a project. To re-enforce the approach beyond a lecture to the team, we recommend having your architects, developers and partners actively participate in security groups. For example, Open Web Application Security Project (OWASP) offers an opportunity for your team to join, participate in and adopt best practices on securing your web applications.
When team members join online communities or local groups dedicated to security, your application designs and network components go beyond a series checklists focused on firewalls, passwords and encryption to a culture that adopts and embraces security during planning, development and ongoing support stages. In these environments, team members will be the ones who regularly drive, innovate and change to make sure that all systems secure your sensitive customer data.
Step 2: Conduct Frequent Training Sessions
A second step in developing secure payment systems involves implementing frequent training sessions to keep your develop and support team up to speed on industry events, trends and best practices.
At MicroAutomation, we adopted a “lunch and learn” concept that allows our developers and engineers to lead sessions that both inform and train our staff on a variety of topics, and that includes security. Training programs like these replace those ineffectual, for-show exercises where employees must read, sign documentation on corporate security processes.
Step 3: Reward Program for Contribution
Another approach is to utilize gamification to encourage your team to read industry leading blogs and publications, and implement a bonus program when team members use their security research to drive continuous improvement to the security of your payment applications and customer data.
A good list of respected blogs on security can be found on the DDoS Attack Protectionwebsite, but the top three I find myself reading often are:
As a father of four children, I think I have had the opportunity to watch every infomercial that has hit cable TV in the past decade. A personal favorite was the Ronco Set and Forget It! rotisserie oven. And while that tag line from the infomercial has been adopted into our pop culture lexicon, it should never, ever be applied to any of your corporate systems. Instead, your systems need to be treated as living, breathing ecosystems that will continually change and evolve.
At a minimum, they should contain a detailed component list and a recurring process to update each component when a new release hits the market. In the past, company’s took the stance of not touching a production solution that operated without error, but that era of “Set it and forget it!” no longer applies.
If you work with vendors, I recommend that you review our blog on support services, and make sure that all vendors provide both maintenance and new versions as part of your support contract.
Implementing a secure payment solution and protecting critical customer data requires a cultural change embraced by your IT organization and external partners. And that starts with a paradigm shift in your thinking and approach. Because if you continue down the path of taking your employees through periodic demonstrations of “checking the box” with security, a dynamic, secure payment solution will always be out of reach.