I recently was reading a blog by an employee of one of the largest payment processors in the United States. He said that he hears lots of complaints about the burden of PCI compliance. He says, like I do, that a major reason people are so opposed to becoming PCI compliant is because they simply do not understand the benefits and protections the PCI DSS (payment card industry data security standard) affords a business. He says that in the many post-data breach interviews he has conducted, that every victim inevitably states that he or she wishes someone had sat them down and really explained the significance and necessity of PCI compliance. Most people think it’s just some new time-wasting contrivance of an industry already resented for its profitability and autonomy (though recent government regulation has compelled some pricing controls) and ultimately unnecessary. Some other reservations of merchants recalled by this other industry blogger were that they believed PCI compliance to be a new form of taxation, or that service providers were just getting greedy.
I found it ironic that the blogger, who is employed by a huge payment settlement entity, he has to pass a blind eye over the real elephant in the room. More than the time required to become PCI compliant, more than the anxiety stemming from the strangeness and novelty of the requirement, people don’t like PCI compliance because of the monetary expense of being PCI compliant. That’s why it’s misconstrued as a form of taxation and or just the industry being greedy. Neatly avoiding that glaring issue all together, the article goes on to explain the benefits of PCI compliance, which anyone who reads this blog should know by now.
If your problem all along regarding the PCI DSS is the cost of becoming PCI compliant that your service provider is hitting you with on a monthly or yearly basis, you have come to the right place. See our home page for details on how to get your business PCI compliant, absolutely free!
Is your business PCI compliant? It is? That’s great, but now that you’ve completed an SAQ (self assessment questionnaire) and registered with your service provider, it’s not time to rest on your laurels come what may. The PCI DSS (payment card industry data security standard) is a set of goals and procedures that the industry requires all merchants to follow, but filling out an SAQ and validating your compliance doesn’t make your business, computer network or customers’ information totally secure. Only you and your employees can actually take an active role in the protection of your sensitive authentication data and the identification and containment of threats. It’s a tool to use when going about the task of securing the integrity of your network and company or customer information, a foundation from which you can more efficiently and effectively maintain a high level of data protection.
But even the most finely crafted of tools is useless without an operator skilled in its uses. The same is true of the PCI DSS as it is of any tool and must be regularly monitored, maintained and updated as needed to be truly PCI Compliant, in both letter and spirit. It is analogous to the current battle being waged between medical science and lethal bacteria, medical science being just an antibiotic step or two ahead of the most deadly bacteria. The same is true with regard to computer security technology versus computer hacking technology.
Just doing the bare minimum that the PCI DSS requires for becoming PCI compliant may ward off the fines charged by the industry for having an expired PCI compliance validation, but true compliance goes beyond just the letter of the law. The sprit in which the PCI DSS was generated, and that of its predecessor, the CISP (customer information security program) started by Visa is that of an involved and ongoing commitment to sensitive authentication data security. If everyone is concerned with having the best defenses in place and the protection of their customers’ cardholder data, it not only benefits the individual, but the integrity of the entire payments system.
If you’ve hesitated for some reason before, now is the time to get your business PCI compliant. See our homepage for information on how to do it absolutely free.
For the last few weeks we’ve been covering the highlights of an international data security report published by one of the industry’s leading QSA’s (qualified security assessor) in an effort to better understand what works and what doesn’t with regard to computer network protection. Some final findings of the report make it clear that in addition to following the requirements of the PCI DSS (payment card industry data security standard) there is still a need for that human touch and reasoning.
One unanticipated finding was that percentage of business owners or employees that were able to detect a security breach on their own was a discouraging sixteen percent. The remaining eighty four percent only found out that they had been compromised when they were informed of the breach by an outside source. Whether alerted by a consumer, local or federal law enforcement, or industry regulators, an analysis of those types of cases found that the average time between the data compromise and its detection and containment was over one hundred and seventy days! The amount of time the thieves had to exploit or sell the stolen information is staggering. I imagine that long before that timeframe has passed, they’re long done wringing what they can from that poor soul’s account.
This statistic, to me, is the most telling about the general attitudes of business owners and their employees towards the seriousness of PCI compliance. People out there still think that once they fill in some form answering a bunch of questions that don’t mean a whole lot them, that they’re done with their efforts to make their customers’ data safe. Fortunately law enforcement’s detection abilities have improved over five hundred percent in the last year. The authorities are taking PCI compliance seriously and so should you. The increased effectiveness of the police and Secret Service (a branch of the treasury department that investigates financial crime) is a testament to system-wide adaptation and anticipation of the growing threat. They have clearly gone above and beyond what is merely the standard they are required to meet. Take PCI compliance seriously, please. You only risk catastrophe by not becoming PCI compliant. Know that you can, easily, now, for free. See our homepage.
Last week on the blog we highlighted the types of businesses, namely food and beverage services (e.g. restaurants) that are the most frequent victims of cyber-crime. Becoming PCI compliant and maintaining your PCI compliance is the easiest, fastest and most complete way to protect your customers’ sensitive authentication data, and by extension, your business’s proprietary data. Though restaurants and other aspects of the food and beverage service industries are the most often attacked by hackers, some other business types and formats have also been observed to have a higher incidence of data breaches. We’re not saying get out of the business you’re in if you are at higher risk, just be aware that the hackers out there view your business as a higher value target.
A major industry QSA (a.k.a. qualified security assessor) published a report this year that was compiled from a series of investigations and vulnerability tests throughout the year 2011. Chain stores and franchises exhibit a particular characteristic attractive to data hackers. These types of businesses tend to use the same IT systems in all of their locations for the easy implementation inherent to conformity. It’s not a stretch to now realize that if a hacker circumvents one location’s network security, it stands to reason that they can overcome other locations as well. In 2011 over 30% of all data breach investigations according to the QSA and they predict that percentage will rise this year.
Among the findings in the report it was noted that businesses are far too lax with regard to their password requirements. In an analysis of over two million passwords used by businesses they found the most common to be Password1 as this meets standard default password requirements of at least one capital letter, at least one lower case letter, and at least one number. To add a new dimension of complexity and an exponential number of possible password combinations, have your IT systems administrator require a symbol or non-letter/non-number character.
One of the most interesting discoveries of the QSA’s report is there is actually a specific hour of the day that is the most risky. If you are one of those who tend to open emails immediately when they’re received (unlike me who lets them pile up) then know that the most common time for an email sent with a malicious attachment is between 8:00 a.m. and 9:00 a.m.
Is your business PCI compliant? If not it’s time to ask yourself why. Network and data security is becoming more integral to our lives every day, especially in business. Visit our home page today to find out how your business can be PCI compliant and maintain its PCI compliance at no cost to you.
We’ve been talking on the blog here about a comprehensive report of industry fraud compiled over the last year by one of the top QSAs (qualified security assessor) in the business. Some of their key points may enlighten you. Keep in mind that your best defense and preparation for the possibility of sensitive personal or authentication data being stolen is to be PCI compliant. The PCI DSS (payment card industry data security standard) is a list of goals and procedures that, when followed vigorously, inures your business against vulnerability of a data breach.
One interesting piece of data is indicates that hackers still often target electronically stored customer records. In fact of the breached data investigated while researching for the report, 89 percent of the data was customer records. Theft of intellectual property and trade secrets trailed customer records at only six percent. However, sophisticated and coordinated attacks bent on retrieving this type of data are increasing in frequency and rate of success. The QSA also says that its own investigation frequency has risen by 42 percent than the previous year. This included over 300 investigations involving breached data and spread over 18 countries around the world. The increased frequency of investigations follows an increased rate of cyber theft attacks, which are becoming more effective, as well as a rise in fraudulent activity in the Pacific Rim.
Unfortunately, for the second year running, the food and beverage industry claims the top spot for cyber-thief quarry. In 2011 this industry accounted for almost 44 percent of data breaches investigated by the QSA.
If you own a restaurant that takes credit cards and you are not currently PCI compliant, you are tempting fate. Just because you think you’re too small to attract notice doesn’t make you any less likely to be the victim of a data breach. If you are found to be PCI compliant at the time of a data breach, the industry affords certain protections and assurances and most processors include a modest amount of breach coverage. But again that is only if you are PCI compliant. If you are not PCI compliant, you’re on your own when it comes to the legal fees, industry fines and other liabilities that will sum up to a hefty bill that will most likely put you out of business…permanently. See our homepage to find out how your business can certify its PCI compliance today, absolutely free.
One of the leading providers of PCI compliance solutions and information security published a report analyzing a sampling of research, merchant feedback and investigations over the last year. The findings of the report are based on over two thousand infiltration tests and over three hundred investigations of data breaches. The tests and investigations were performed by the QSA’s (qualified security assessor) internal advanced research and development security team. Their investigations and tests highlighted application security testing, forensics and hacking vulnerability.
The report showed that the food and beverage (restaurant) industry is still the top target for cyber theft for the second year in a row. In addition the 2011 investigations revealed that more than a third of the compromised accounts were franchise businesses. Researchers suggest that businesses that are modeled as franchises will be at the highest risk of a data breach in 2012. On top of all this the report illuminates some surprises regarding the most common passwords used by businesses around the world and what time of day is the highest risk times of day to open an email.
Many in the industry consider this report to be the most comprehensive on cybercrime, data breach trends, developing or new security threats and on best security practices recommendations. Making sure your business is operating in accordance with the PCI DSS (payment card industry data security standard) is your best basic defense against a data breach. If your business accepts credit cards or handles sensitive authentication data from customers, you are required to be PCI compliant. It is your responsibility to protect your customers’ data by following the goals set forth in the PCI DSS version 2.0. If your customers’ personal or financial data is stolen, you are liable for any fraudulent activity perpetrated on the compromised accounts. Only if you are PCI compliant at the time of the breach will you be afforded certain protections as well as, in some cases, tens of thousands of dollars in breach coverage.
Next week we’ll cover some more of the interesting findings of this report. See our home page to find out how your business can obtain its vital PCI compliance at absolutely no cost to you.
Last week we covered two of the four self-assessment questionnaires (SAQ) required by the card associations for PCI compliance. The two SAQ types mentioned last week are the most complex and longest of the four. These questionnaires contain many technical terms in reference to security and virus protection software. They also review local area network (LAN) settings, firewall protections and connected or shared access points. Unless you are highly computer literate, most businesses have personnel dedicated to internet technology (IT) support. Your IT support staff will be best suited to complete the network security portion of these questionnaires.
Remember that SAQ type C is required if you transmit data over an open public network such as the internet or cellular signals, whether or not you store cardholder or other sensitive or personal data in an electronic format. SAQ type D is required if you store cardholder or other sensitive or personal data in an electronic format, regardless of your method of processing.
The other two types, SAQ A and SAQ B should be used if your credit card processing is done via a stand-alone dial-up credit card terminal that is not connected to any other office system or network. You may qualify to complete SAQ type A if you only call an automated voice authorization service from any regular phone. This type of processing uses no equipment beyond the merchant’s phone, and there are no electronic records or hard copy electronic printouts.
The majority of small to medium sized businesses that have no business or legal need to store cardholder data electronically and use a traditional electronic credit card processing terminal are eligible to use SAQ type B for validating their PCI compliance. Please see our homepage for information on which SAQ is right for you. If your business accepts credit cards, you are required to be PCI compliant. Your business can validate its compliance for free on our home page.
From time to time on this blog I attempt to encourage, persuade, cajole, manipulate and even frighten merchants and business owners processing credit cards to get their business PCI compliant before it’s too late. But as is often the case with esoteric and unfamiliar tasks, there is still a surprising number of merchants who still haven’t taken the time look into PCI compliance for their business. Part of the reluctance to get started may be that it seems too complicated or overwhelming. For a business owner whose computer literacy ends at knowing how to send an email or google a topic, all they’ve ever needed to know how to do, the language and questions in the PCI DSS (payment card industry data security standards) must seem particularly daunting.
What you may not know if you’ve been so put off by the technical jargon is that not every merchant has to complete the same SAQ (self assessment questionnaire) for PCI compliance. There are four versions of the PCI DSS to accommodate the variety of processing methods and processing environments that differ from one business to another. The four SAQ versions are designated A, B, C, and D followed by the version number. The old 1.2 version is not valid after January 1st 2012 and any new SAQ submitted after that date must be version 2.0.
SAQ type D is the most comprehensive of the assessments and is required for all merchants processing via ecommerce or other public network and if the merchant stores sensitive authentication data in electronic format.
SAQ type C is shorter and is required for all merchants processing via a public network or whose processing system communicates via an internet protocol connection.
For more detailed information about which SAQ is right for you, see our homepage. If your business processes credit cards and is not yet or needs to re-validate PCI compliance, we can show you how to do it for free.
Being PCI compliant means following the guidelines set forth in the latest version of the PCI DSS (payment card industry data security standard) and if compliant at the time of a data breach, most processors and QSA’s (qualified security assessors) include coverage against the financial loss from the fines and legal fees associated with a data breach. But it isn’t simply a matter of following the guidelines by rote and expecting that no harm can come to you or your business. Computer and network security is a constantly evolving, moving target that must be continuously adapted and updated.
No security system is completely infallible due to a constantly changing computer security technology landscape, the continual invention of new products and methods, and good old human error. That being said, the goal for PCI compliance shouldn’t be absolute perfection, but significant progress, year after year, until fraud liability is at its lowest possible level. What was secure against outside access today may suddenly not be so tomorrow as criminal innovation continues to find new paths to circumvent even the tightest security systems.
For this reason, the PCI DSS and the requirements to achieve PCI compliance have a programmed life cycle of about three years. This way, the PCI SSC (payment card industry security standards council) is able, over time, to gather data and feedback from merchants, processors and financial services providers regarding which PCI compliance guidelines work and which don’t, as well as what items need to be enhanced or modified. In addition to the information provided by end users of the PCI DSS, it also allows time for other technological advancements and their impact on sensitive authentication data storage and transmission to be incorporated into the guidelines.
We’ll try to touch on this a little more next week. If your business is not currently PCI compliant, you are placing your livelihood at risk, as well as your customers’ information. See our home page to find out how your business can be PCI compliant today. Best of all, it’s absolutely free!
Just when you thought it was safe to start processing again, we discovered a new area of vulnerability that should be of concern to long time bankcard processors and merchants. Namely the security of your stored legacy data that may include old credit card numbers and expiration dates as well as other sensitive authentication data. For large companies that have massive stores of customer data, much of the non-PCI compliant data may predate the PCI compliance requirement by several years.
This sensitive data is often overlooked by the merchants and processors storing the data since the PCI compliance requirements are such a relatively recent security requirement. If you have customer data that was stored prior to January 1st 2008 (after which, of course, everything moving forward meets current PCI compliance standards) it could be a data compromise liability waiting to happen. You can count on thieves and hackers exploiting this oft overlooked area of stored data management. So despite the potentially daunting task of converting or purging stored data going back years, the risk of loss is too great.
One industry servicer reported that a common phenomenon of off-site stored data is the physical loss of said data in tape backup or other magnetic storage format. One such case involving a US retail credit management company revealed a recent discovery of missing back-up tape data. The lost data included over six hundred and fifty thousand credit card numbers from its 230 US retailers. In addition, the lost back-up tapes contained about one hundred and fifty thousand social security numbers belonging to cardholders.
Next week we’ll try to find out some tips for tacking the seemingly insurmountable task of rendering data that you must continue to store for business or legal purposes. See our home page for information on how you can make your business PCI compliant for absolutely nothing!
