Privia Security was chosen as one of Türkiye's fastest growing companies!
Privia Security was chosen as one of Türkiye's fastest growing companies!
GDPR is a European Union law first created in 2016. Its entire purpose is to deal with data privacy. It is a regulation applicable to any organisation (such as a business or government body) that collects or processes data. Even if an organisation is not located within the EU, if it does business within the EU or collects/processes EU data, then GDPR comes into effect and is applied. GDPR has been made mandatory in European Union member states as of 25 May 2018. It covers ensuring the security of personal data being processed, stored, or used across all EU member states, within the framework of specified rules. At this point, its aim is to deal with data privacy and to protect the information of EU citizens.
Just as GDPR applies in Europe, KVKK (Personal Data Protection Law) is applied in our country. The protection of personal data in Turkey has been on the agenda since the 2000s and the Personal Data Protection Law (KVKK) came into force in 2016 with many of its articles. From that date to the present, it has continued to be applied in the determined ways, keeping pace with technological developments.
In addition to GDPR, there are many sector-specific regulations. Another one of these is what we call PCI DSS. It is defined as the Payment Card Industry Data Security Standard (PCI DSS), developed specifically for the payment card sector. This regulation is a proprietary information security standard for organisations that process cardholder data such as credit and debit cards from VISA and MasterCard.
Looking at PCI DSS requirements, all merchants must protect cardholder data by establishing a firewall and router system. Setting up a firewall system provides control over who can access an organisation’s network, and a router is a device that connects networks and is therefore PCI compliant.
Firewall and router standards are defined as follows.
1. Test when configurations change.
2. Identify all connections to cardholder data.
3. Review configuration rules every six months.
The firewall must be configured to block unauthorised access from networks and host computers and to prevent any direct public access to cardholder information. Additionally, firewall software must be installed on all computers that access the organisation’s PCI compliance network.
At this point, you must change all default passwords. Default passwords provided when installing software for the first time can be identified and easily used by hackers to access sensitive information.
Cardholder data is personal information related to the cardholder, found on the payment card, which can never be recorded by a merchant. This includes the protection of encrypted authentication data after authorisation. Merchants can only display a maximum of the first six and last four digits of the primary account number (PAN). If a merchant stores the PAN, they must ensure the data is stored in encrypted form to keep it secure.
To prevent cyber criminals from stealing personal information during a transaction, all information must be encrypted while being transmitted over public networks such as the internet.
Computer viruses can infect computers in many ways, but primarily through email and other online activities. Viruses compromise the security of a merchant’s personal cardholder information, and therefore anti-virus software must be present on all computers associated with the network.
In addition to anti-virus software, computers are also vulnerable to a breach in installed applications and systems. Merchants must install the security patches provided by vendors within one month of their release to avoid exposing cardholder data. Security alert programmes, scanning services, or software can be used to report vulnerable information to the merchant.
As a merchant, you must limit the accessibility of cardholder information. Passwords and other security measures must be installed to restrict employees’ access to cardholder data. Only employees who need access to the information to complete their work are permitted to access it.
An unreadable password used to access cardholder data must be assigned to each user in order to monitor employee activities when accessing sensitive information.
Physical access to cardholder data must be monitored. Unauthorised persons must not be permitted to obtain information by securing digital and printed materials. All old cardholder information should be destroyed, a visitor log should be kept, and logs must be retained for at least three months.
System activity logs that monitor all activity and are reviewed daily must be kept. The information stored in logs is used in the event of a security breach to monitor employee activities and find the source of the breach. It should include information such as user, event, date and time, success or error signal, origin of affected data, and system component.
Every three months, a wireless analysis device is used to check wireless access points in order to prevent unauthorised access. Additionally, you should scan internal and external networks to identify potentially vulnerable areas in the system. Necessary applications must be installed to recognise changes made by unauthorised personnel. Furthermore, work continues by ensuring that all IDS/IPS engines are up to date. If you process credit cards, compliance with this standard is mandatory.
The purpose of these and similar standards is to ensure and protect the confidentiality of data. Personal data is one of our most critical assets in today’s internet world. Organisations process, compile, share, sell, or otherwise generate income from the information they hold. In this case, we must protect citizens’ rights and regulate access to information. These standards, which emerge to regulate access to and protect information, improve the operational efficiency of organisations while also protecting citizens’ rights.
You May Be Interested In These
