From the introduction of chip and pin to the widespread use of Apple Pay and other contactless transactions, payment systems have evolved drastically in recent times. Advancements in commerce and payment-acceptance technology require a revamp of the current e-commerce regulations. This is where the latest PCI laws fit in.

Changes in compliance laws can be overwhelming for decision-makers wanting to remain in check, so let us break it down for you.

Why have the PCI laws changed?

The Payment Card Industry Data Security Standard came to play in 2006, aiming to protect consumers and secure their online transactions. As the e-commerce industry matured, so did the need to protect the consumer and their payment information.
When online payments first came on the scene, internal system policies were deemed sufficient to keep customer information protected. Before the proliferation of mobile payment systems, the majority of transactions took place within a company’s network, protected through their internal infrastructure. For a lot of businesses that’s no longer the case.
In order to be flexible and mobile, companies employ a range of technology to receive and authorize payments. These devices operate on a variety of different networks, each with differing levels security. If a device is compromised, an attacker may be able to get their hands on a wealth of customer information, from banking credentials and login information to user behavior and physical addresses.

POS attacks

POS is hardly a new topic in the field of cybersecurity: attacks on point-of-sale terminals dominated headlines a couple of years back, with incidents happening with increasing regularity. Verizon’s 2015 Data Breach Investigations Report revealed that POS-related incidents accounted for 28.5 percent of all breaches that occurred in 2014.
More recently US health giant, Whole Foods, came under fire when they confirmed that point-of-sale terminals had been hacked, resulting in the theft of customer data, including credit details. The information regarding the unauthorized access of payment card information linked from POS devices used at taprooms and restaurants.
The Amazon-owned health food giant employs over 85,000 members of staff and took more than $15.7 billion in sales last year alone, showing the potential scale of the breach. In light of such incidents, new laws were devised to prevent against future attacks.

Who do the new PCI laws apply to?

Simply put, if you take and accept card payments which involve storing, processing and transmitting cardholder data the new laws apply to you. The policies affect companies of all sizes, from emerging startups to well established multinational corporations.
Global home assistance provider, HomeServe have always put an emphasis on data security at all levels of their organization. They reached out to Wandera for assistance in becoming PCI DSS compliant and to help reduce data costs. As part of continuous improvement in this area, the company wanted to ensure that robust cybersecurity was in place for any route into its infrastructure.

“As with any company or individual, there is always a risk of being subject to a cyber attack. Because of this threat we ensure that cybersecurity is always fresh in the minds of our people. We all need to be vigilant and take steps to protect our organizations.” Martin Evans, HomeServe

Learn how they did it

How can you tell if you’re PCI compliant?

To be PCI compliant, you need to have full visibility and protection of your mobile estate. In order to prove that you have taken every possible measure to protect your data, you need to be able to fulfill the following criteria.

  1. Prevent unauthorized physical device access
  2. Prevent unauthorized logical device access
  3. Protect the mobile device from malware
  4. Ensure the mobile device is in a secure state
  5. Disable unnecessary device functions
  6. Detect if one of your devices is lost or stolen
  7. Ensure the secure disposal of old devices

For more information about each requirement, and to fill out a self-assessment to see where you rank, visit the PCI’s website.


Where Wandera fit in

Enterprise mobility management tools (or EMMs) tick many boxes for the new PCI laws; they can prevent physical device access, block device functions and disable devices that have been lost or stolen. However, they fall short when it comes to security. They only protect the device’s hardware leaving the most crucial asset vulnerable to attack – the corporate data.
To proactively defend against malware and ensure your devices are in a secure state, you’ll need to find a security solution that encompasses all elements of mobile threat defense. Wandera’s security solution works on several different levels, from app-scanning and vulnerability assessments to network assessments and behavioral anomaly protection.
With gateway infrastructure, Wandera is the only technology that can detect and intercept malware before it reaches the device. The intuitive technology uses cloud intelligence from millions of scanned devices to surface new threats and flag unusual activity. Crucial for devices storing and processing highly personal payment information.
Malicious apps can then be scrutinized in real-time, providing zero-day threat detection that can secure your corporate devices. If a vulnerability is detected within an application, you can disable the software across a fleet of devices to secure your data within seconds.
If you’d like to learn more about how the latest PCI laws affect your business, get in touch with one of our mobility experts.
[text-blocks id=”get-free-demo-wandera”]