Anyone who has heard me talk these past few years after our data breach in 2015, walk away with a stark reminder that we truly are only at the beginning of data insecurity. My company and clients are doing fine after a lot of hard work since, and what happened to us in 2015 can never happen to us again: we no longer handle or store credit card data. Instead - we store tokens, and connect to a PCI Level 1 Token Vault, among other major security enhancements we've made to the eCellar platform.
Today, in my address to the audience at the Wine Industry Technology Symposium (WITS), I delivered what I believe are top security measures wineries (and staffers) can put into place today to help secure consumer data. If you have any questions or comments, please send them to me at paul @ ecellar1.com.
1.) Get PCI Compliant
Hire a QSA for your own organization, and/or work with your Merchant Bank
2.) Demand PCI Validated (NOT self-assessed) Compliance from ALL of your vendors
who store sensitive consumer data of yours (credit card information, passwords, etc)
The dirty little secret of PCI Compliance:
Anyone can say they're fully PCI Compliant - until they get hacked - and audited.
3.) Get Cyber Insurance for your business
This will put all of your hard work getting PCI Compliant and Validated to the test during the application process, and cover you in the possibility of getting hacked.
4.) Demand & enforce granular User Permissions from your vendors with strong password management. It's not good if a temporary part-time employee can download your entire client list.
5.) Manage your endpoints - Systems & People
- Turn off auto-fill/complete (so login credentials are NOT saved on devices in case they're lost/stolen)
- Know what data and systems you are responsible for versus your vendors
- Keep systems PATCHED
- Keep antivirus & malware endpoint protection up-to-date
- lock devices down by MAC address/IP
- backup, backup, backup
- users should not use administrative accounts daily
- use unique personalized complex passwords for all devices and applications
- have usage policies for each user, especially not allowing mail and Internet browsing on the systems you use for payment transactions
6.) Avoid being a Phishing victim
Do not click on any links in emails or websites that you were not expecting, and ALWAYS look for little details to authenticate validity. There are even programs that you can use to routinely see if your employees can be lured in to click on a phishing email. Staying savvy and avoiding the phish, helps you avoid Ransomware, Keyloggers/Malware, and overall system compromise
7.) Eliminate credit card data at rest in your organization (and your vendors')
Test to make sure that your tokenization and full integration plan actually works and no credit card data is where it is not supposed to be.
8.) Use latest credit card technology (Liability Shift)
Significantly reduce chance of fraud (and chargebacks) with EMV (Chip Card readers) and P2Pe (Point-to-Point Encryption) in your tasting room and mobile devices.