It’s that time of year: the days are beginning to cool, the leaves are changing color and consumers everywhere are starting to shop for the holidays. Yes, already. If you’ve been buried in compliance preparations for your 2015 PCI audit, you might not even be thinking about the coming upsurge in traffic for your sites and applications – but now is the time to get your infrastructure ready.
As I’m sure you remember, last year’s holiday season was the time of the epic Target breach. That’s not a surprise; hackers know that credit and debit cards are out in full force at this time of year. Merchants of all types often do their biggest business leading up to the holidays, which makes performance an issue too. The surge in traffic can give your infrastructure a workout.
Bear in mind that it’s not just typical retailers who get busy for the holidays. Almost anyone who handles payment card data can notice an uptick in activity. Consumers are booking vacations, joining gyms in preparation for New Year’s fitness resolutions, and buying extra groceries for holiday parties and family visits. Card numbers and other financial data are flowing through networks everywhere – and hackers are waiting to pounce.
The good news? Thanks to the work you’ve already done for PCI, you can prepare your system for the holidays and do a final compliance check at the same time.
Your first step is revisiting your Cardholder Data Environment (CDE) to make sure it’s clearly defined and locked down. You should already have a thorough inventory list of every device and software component that touches your data, along with network and data flow diagrams that show how the devices are connected and how the payment information flows through your environment.
Now you get to put them to use. With just a glance, you’ll be able to track the path of card data through your system, identify any security gaps and allocate your resources for smart risk management strategies. Hopefully you’ve already run credit card tests on every system and done a pen test, something required by PCI 3.0. However, it’s not a bad idea to run more tests to expose any rogue data locations or security weaknesses before the holiday traffic surges start. While you’re at it, make sure that your malware detection system is working effectively too.
Also important: remember that security is about people, processes and technology. That’s an especially important message at this time of year, when many organizations hire temporary holiday help, go through layoffs, or reshuffle staff roles for the coming year. New frontline staff may not be trained to spot fraudulent payment card behavior; a harried employee could develop a new shortcut that puts data in an unsafe place. Any process, from manual orders to encryption key management to chargebacks, could go off the compliance track thanks to personnel and process changes. So be on the lookout for any changes that violate PCI 3.0 requirements.
And speaking of “busy,” uptime is everything in a hectic shopping season. A site that goes slow or crashes isn’t just inconvenient to your customers; it’s deadly to your brand reputation. To stop customers from going straight to your competitors, test your performance now. Is your network able to scale efficiently? Can you accommodate a massive spike in traffic during seasonal sales?
Finally, as you work through the above security and performance checks, odds are good that some of your controls may shift. If that happens, remember that your documentation needs to be current for your 2015 audit so be sure to update your diagrams, inventories and reports.
The coming months will no doubt be hectic ones between increased holiday business and final audit preparations – but they can also bring a potential windfall for your organization. Lay a preemptive foundation of security and compliance now, and you’ll position yourself for a safe and profitable holiday season.