All Australian and New Zealand retailers, merchants and businesses that accept card payments need to comply with the industry standard Payment Card Industry Data Security Standard (PCI DSS).
By Radware Vice President Sales Yaniv Hoffman.
It stipulates what types of security protections organisations should employ, and mandates stringent financial penalties for exposure of customer records.
Other sectors including health care, financial services industry and government agencies also need to comply. There are other regional and national regulations, such as the General Data Protection Regulation (GDPR) in Europe, but no set of rules or legal requirements apply to everyone.
Many of these national and industry standards vary widely, yet they hold several core tenets in common. For example, they mandate the use of specific security mechanisms or procedures. They impose stringent penalties on the exposure of protected data, and sometimes even criminal liability. They apply widely, not just to customers in specific territories or regions, but worldwide.
Organisations must make sure they fully understand which regulations apply to them, and they should strive to do whatever they can to avoid breaches before they find out the hard way what the penalties are for the violations.
A common question is, should customer information be destroyed after a certain point?
This is a tricky question, and there is no single definitive answer. In theory, yes, customer data should be destroyed. But one of the benefits of the digital age is the fact that we can store data indefinitely.
Many organisations exercise this practice, and many customers want to have this data available to them. With that said, the best approach should not necessarily focus on the destruction of older data but rather focus on the overall protection of all data, both old and new, to make sure this data is not exposed.
A careful provider of cloud security services doesn’t hold customer data directly. Yet it will maintain metadata about customer transactions that flow through its systems in the form of logs, security events, etc. Most products and services allow customers to configure the retention time of logs and alerts. Keep in mind that retention policies have to do with customer lists, websites, etc.
Retention periods can vary significantly, based on the type of information and how it is used. My own company’s retention periods are based on criteria that include legally mandated retention periods, pending or potential litigation, intellectual property or ownership rights, contract requirements, operational directives or needs, and historical archiving.
When we no longer need to use personal information, we remove it from our systems or depersonalise it, so we can’t identify customers.
The General Data Protection Regulation (GDPR) has had a significant impact on organisations. It affects organisations based in Europe (EU) and any organisation that processes and stores EU citizens’ data, which is almost every organisation.
Looking ahead, we are constantly assessing how local regulations impact us. For example, there are many new privacy regulations in India and Brazil, which have to do with data residency and taking customer data out of those countries. That, in part, led my company to expand services in India and Brazil in 2020. This is something we’re constantly evaluating and on the lookout for.
Here are five things businesses should know about storing customers’ data:
- The cloud is not ‘more’ or ‘less’ secure – it is different. This means that organisations need defences specifically adapted to the cloud and to the unique threats those organisations face.
- Safeguard both an application ‘surface’ and cloud application ‘infrastructure’ (ie, the backend). Vulnerabilities can come from either side, so it is essential to safeguard both.
- Implement ‘positive’ security. Attacks keep becoming more sophisticated, and organisations can no longer rely only on signatures of existing attacks. They need protection based on a positive security model that can automatically identify and block illegitimate traffic.
- Security is a discipline. Within it, there are many sub-disciplines (such as application security, DDoS, etc.). Organisations need to rely specifically on the people who are experts in safeguarding against these attacks.
- Detection is essential, but the correlation is critical. It’s not enough to detect attacks. Businesses need to correlate events intelligently across multiple threat surfaces, application layers and time spans to connect event A, to event B, to event C — even if they are months apart. This will help to determine when an organisation is under attack and be able to block it in time.
Yaniv Hoffman
Yaniv Hoffman is Vice President Sales at Radware. He is an experienced leader with vast track record of building high performance teams, technology-based professional and customer services globally, along with broad expertise across large enterprises, service providers and telecommunication markets. Yaniv holds a BA in computer science, graduated from Program on Negotiation, Harvard Law School, and holds a certificate of Executive Leadership from Cornell university.
About Radware
Radware offers cyber security and application delivery solutions for physical, cloud and software defined data centres. Its solutions secure the digital experience by providing infrastructure, application, corporate IT protection and availability services to enterprises. Radware’s solutions empower enterprise and carrier customers to adapt to market challenges quickly, maintain business continuity and achieve maximum productivity while keeping costs down.