The Payment Card Industry (PCI) council provides us with guidance and support when it comes to securing payment and applying best practice to both Merchants and Service Providers. It is the council who keeps its thumb on the pulse of the ever changing threat landscape, continuously monitoring new avenues of payment fraud while ensuring that the evolution of payment is accepted and trusted.
At this point in time, all professionals agree that the PCI standard 3.2.1 is an established, mature set of requirements that provide the framework for ensuring payment security.
The PCI Council updates and revises these standards and professionals in our industry focus on this guidance to carefully advise our clients. That said, there are some key advisory notes that may not receive the same attention and consideration which can have just as a significant impact on the security environment of our customers.
One such advisory note is a recent supporting blog entry by the PCI council regarding patching.
As IT professionals, we have become accustomed, nay, even numbed by the admonition that is the cornerstone of our defence against malicious activity – “Update your software regularly!”
In fact, the PCI blog entry states: “The use of outdated and unpatched software is one of the leading cause of payment data breaches for businesses.”
We are all human! That includes the programmers who write code to our applications. Vendors regularly issue updates to fix software vulnerabilities. Having our systems patched with the most recent updates may give us a false sense of security. It is our duty to ensure that the source of the patch in question is verified and trusted. If you ever find yourself in doubt you MUST speak to your vendor! Your vendor can provide you with hands-on advice, regarding patches that may install automatically versus those that need implementation planning and most importantly testing.
The PCI council urges e-commerce businesses not to neglect the patching process. These businesses should receive the applicable patches from their payment service provider. However, it is essential to be diligent and ask questions. Have they patched their systems? Are they protected from newly discovered vulnerabilities? As an e-commerce merchant you need to make sure that the operating systems, e-commerce platforms and web applications are updated so they can support the latest patches.
As the age old saying goes “It is better to be safe than sorry” which cannot be more appropriate in this situation. Ensuring that all your systems are up to date with verified patches is simple. Recovering a customer’s confidence and reputation from a breach is much more complex and costly for all of us.