It’s time for a refresher course on good old fashioned computer common sense regarding security of personal or sensitive authentication data. The PCI DSS (payment card industry data security standard) was created by members of the electronic payments industry as a guide to credit card processing and data storage security for merchants. It is not an all encompassing guide to every aspect of your personal computer and internet security. Most of the responsibility of protecting your own personal identification information and other financial or sensitive authentication data rests with you. Don’t concentrate so hard on being PCI compliant with regard to your business that you ignore all of the other aspects of computer and internet security for yourself. In a world where we rely on electronic forms of communication and data storage more and more every day, we need to understand the inherent risks associated with it and take the proper precautions.
If you are a merchant that maintains your PCI compliance in accordance with the provisions of the PCI DSS, you are already giving your business and your customers the best protection that you can. That takes care of the obvious business information that cyber criminals and hackers are prowling for, but what about all of your other personal information that you don’t normally consider when thinking about making sure you’re PCI compliant.
Please take some time to go over these basic precautions for your personal data. This is take directly from a Visa Inc. newsletter sent to processors:
“Visa has detected an increase in email ‘phishing’ scams directed toward merchants. These scams utilize fraudulent emails that appear to originate from legitimate financial institutions, transaction processors or other business entities that routinely conduct business with merchants.”
“Through these email scams criminals attempt to convince merchants to provide sensitive information such as merchant account information, passwords, login credentials or other payment transaction information, which can be used by criminals to commit fraud.”
“In most of these email phishing cases, the merchant is asked to click on an internet hyperlink embedded in the email. This link connects to the criminal’s fraudulent website or computer server and may lead to the installation of malicious software (known as ‘malware’) on the merchant’s computer.”
Next week we’ll cover the top 6 warning signs that the email in your inbox has the potential to cause you harm. If your business is not PCI compliant as of now, visit our home page to find out how to become PCI compliant quickly, easily and at no charge.
For a business to be PCI compliant, they must complete a self assessment questionnaire or SAQ and take the time to follow the procedures and safety measures laid out for their business type. Not every business will have to complete the same version of the PCI DSS (payment card industry data security standard). There are actually four different versions of the SAQ that, depending on the method of processing your business uses, only one of need to be completed per merchant location. Failing to complete an SAQ to make your business PCI compliant however could result in loss of revenue, loss of savings due to industry fines and penalties, loss of customer loyalty and destruction of brand reputation.
Unfortunately, until the advent of the PCI DSS, merchants were in general, lax at best about the security of their and their customers’ sensitive authentication data. When fraud was committed or information stolen, the merchant didn’t used to be liable for the cost. There was always a cost when a crime is committed, and in times past the onus of covering the losses rested with the issuing bank of the card or the card association itself. With the advent of PCI compliance as a minimum required security measure, some responsibility is now shared by the merchants handling the cards and other sensitive authentication data.
Bearing this in mind, if your business is not PCI compliant yet, then you are deliberately putting your business, and consequently, your customers, at great risk. Especially these days when there are so many computer and internet security software products that have been cracked by one hacker or another, it’s just plain foolhardy to act as if you are safe. Consider the seat belts in your car. It would never occur to you to not buckle up, or to not buckle in your children. But when the question of requiring them in cars came up, it was met with ferocious resistance from everyone from the auto manufacturers to the dealers to the consumers. Since Congress mandated that auto manufacturers must install seatbelts to sell a car, countless millions of lives have been saved.
If you ignore the industry requirements for PCI compliance, and continue to operate without regard for your customers’ sensitive authentication data and credit card information, no one will be saved if a computer criminal targets you. You are knowledgeably risking the personal security of every person that uses their bank card at your business. It’s not just about you and your business, but about all businesses and consumers that process or use credit cards. Do your duty, get PCI compliant, and deny the hackers their quarry. Go to our home page to find out how this process can be completed quickly, easily, and most importantly, absolutely free.
Last week we gave some examples of proper risk assessment and the common pitfalls people fall into when assessing risk with regard to PCI Compliance. I mentioned that people have a natural tendency to overestimate or incorrectly estimate perceived versus actual risk. In his 2003 book, Beyond Fear: Thinking Sensibly about Security in an Uncertain World, author Bruce Schneier analyzes some of the more common risk misconceptions exhibited by average people. A person tends to exaggerate stupendous but very rare risks while at the same time seem unconcerned about the most common and far more routine risks. People worry about a tornado knocking their house down or a flood washing it away while at the same time not worrying at all about potentially slipping in the shower, even though the potential risk of injury in their own bathroom is far far greater.
My parents were always convinced that sickos out there were poisoning kids’ candy and would always scrutinize my sisters’ and my hauls after an evening of trick or treating, looking for hypodermic needle holes, razor blades or evidence of tampering. Their fear was largely based on an article my mother read that warned parents of the potential for injury through Halloween candy. There has never been an actual police report documenting a case of injury or death of a child by eating candy collected on Halloween, it is just an urban myth. Yet, rational, educated, intelligent people are more willing to believe the threat from criminals with candy is greater than the threat of one their kids getting hit by a car.
Part of the reason for my mother’s fear is that like most people she is overly concerned by risks that she sees as personal. Former Soviet Union dictator Joseph Stalin once said something to the effect of: “one death is seen as a tragedy while a million deaths are seen as a nothing but a statistic.” He was right of course. It’s one thing to hear about a bunch of people you don’t know checking out, yet quite another when it’s just one person that you knew.
Don’t make this mistake with regard to PCI compliance. If you think that data breaches are just news reports affecting a bunch of nameless faceless people, think again. PCI compliance is required and is the best defense you can provide to your customers and your business. See out home page to find out how you can make your business PCI compliant today. It’s easy, and most importantly, it is free.
If you read this blog regularly you know that I’ve counseled readers on proper assessment of risk. The PCI DSS (payment card industry data security standard) is there to provide a guide or map for merchants to follow in order to protect the integrity of their network and hard copy data security. You might think that, since it’s so important and the PCI SSC (payment card industry security standards council) has done all the hard thinking, statistical compilation, and best procedure figuring, that merchants would be glad to take the final step of making sure their business operates in accordance with PCI compliance. Making your business PCI compliant is the best way to protect your customers’, and in doing so your, sensitive authentication and personal data.
The problem with convincing merchants to take PCI compliance seriously is rooted deeply in the human psyche. It is just a natural human foible that we tend to grossly overestimate the risk of something terrible but highly unlikely happening to us. For instance, broach the subject of shark attacks with any group of beach goers and you’re likely to hear a lot of inordinate fears of becoming a big fish’s dinner. Make the mistake of reading Peter Benchley’s Jaws close to or during a beach trip, and you can ratchet up that irrational fear to super high levels.
The truth is, there are less than a dozen reported shark attacks per year in the United States for the last ten years running, with the annual total less than 5 reports in the majority of those years. But the same people who’s nightmares are plagued with sharks, blithely get behind the wheel of a car without a thought about the fact that tens of thousands of people are killed in cars every year. Are they, or you, afraid of driving a car? I’m not afraid of it at all, but statistically, driving is far more risky than swimming in the ocean where sharks and other predators live.
So if you’re not PCI compliant yet, and you think you’re safe from thieves and hackers, think again. There are inherent risks that go along with processing credit cards. Following the goals and procedures outlined in the PCI DSS is your best defense against theft or fraud. The thieves are definitely out there, are you definitely doing all you can to protect your customers’ information? See our home page for information on how you can make your business PCI compliant easily, and at no cost.
The purpose of this blog is to spread knowledge and information about the PCI DSS, which stands for: Payment Card Industry Data Security Standard. It is a set of goals and procedures, mandated by the card associations. The card associations include: Visa Incorporated, MasterCard International, Discover Novus, American Express, and the Japanese Card for Business. Together, they adopted and expanded Visa Incorporated’s CISP or Cardholder Information Security Program into a frame work for merchants and processors to follow to provide the best protection for the sensitive authentication data they possess. As a condition of the payment card industry’s equivalent of the good house keeping seal of approval, all merchants and processors that processes, transmit or store sensitive authentication data must be PCI compliant, and must maintain their PCI compliance or face penalties.
Despite its obvious necessity and the security it offers, merchants and processors still aren’t motivated to be PCI compliant for the good of the electronic payments industry. Processors are charged with making sure their merchants are PCI compliant and must be PCI compliant themselves. Achieving system wide PCI compliance is a daunting task at best, and is only done through diligence and a great expense in revenue and time. Many processors pass the cost of doing business in a safe and secure environment on to the very merchants they’re responsible for safeguarding.
At PCIfree.com we feel that the basics of security should not cost anything but the time needed to implement the necessary procedures and safeguards. The PCI DSS and the goals and procedures it requires are common sense and increase the safety of all consumers, as long as everyone participates, that is. If your business isn’t PCI compliant and you transmit, process or store sensitive authentication data, you put yourself and those whose information you handle in the course of daily business at greater risk than if your business is PCI compliant. See our home page for information on how your business can be PCI compliant, for free.
The PCI DSS (payment card industry data security standard) and PCI compliance, while a product and process with origins in the electronic payments industry can and must be applied to devices that participate in the electronic payments process. There is a new trend in the ever changing world of electronic payments and sensitive authentication data security. The electronic or “mobile wallet” is a new product being offered to users of mobile phones and other mobile broadband capable devices. It sounds great and is intended to eliminate the plastic electronic payment cards we currently carry in a wallet or pocket book. The product’s designation as a mobile wallet is a little inaccurate since it doesn’t replace your ID, insurance card, or cash for those merchants who don’t take credit cards. But aside from the convenience to you of having your mobile wallet in your mobile smart phone, is it also convenient for computer hackers and fraudsters bent on stealing your sensitive authentication data?
To simply trust that the smart phone application manufacturers and vendors are making sure that their products meet the standards of the PCI DSS and adapt to as yet unforeseen threats and vulnerabilities. It would be unconscionable for a software or hardware company to deliberately market a non PCI compliant device without apprising the customer of the risks associated with using their products, but how about accidentally. Apple products and Android products both contain virus protection and standard security measures, but whose job is it to make sure that the data transmitted across an open public network like the internet meets PCI compliance standards in addition to their own? Or do they operate under some other, internal set of parameters unknown to the public and conceived in the interest of the company stockholders?
I have spoken many times in this blog about the glaring risks associated with the use of the electronic swiper being distributed in enormous quantities by Square Up. The PCI DSS mandates that any device transmitting sensitive authentication data wirelessly or across an open public network, such as the internet, employ the protection of strong cryptographic encryption. In this instance, intercepted data would be completely useless without the correctly encoded decryption key. Don’t blindly trust your mobile wallet provider without first doing your due diligence to verify the compliance of all the parties involved. See our home page for more on PCI compliance and why it is important to you.
Last week I spoke about my parking experience at the Verizon Center for the live theatrical production of How to Train Your Dragon and I mentioned how confident I was, and still am, paying electronically in that situation instead of cash. I felt more protected knowing that there would be an electronic record of my purchase as opposed to the anonymity of a cash payment because of my confidence that an organization like the Verizon Center would be PCI compliant. The PCI DSS (payment card industry data security standard) is a set of goals and procedures that dictate best practices and sensitive authentication data protection measures for merchants and credit card processors. Of all of those whom the industry requires to be PCI compliant, only a fraction of them are actually required to be compliant.
And that is in fact, part of the beauty of what I’m trying to convey here. What I mean to impress upon the reader today is this: making sure your business meets the requirements set forth in the PCI DSS protects not only you and your business, but also your customers, and in turn, the integrity of the entire electronic payments industry as a whole. As a consumer I, and all consumers, rely on the PCI DSS to protect the security of our personal and financial data. As long as The Verizon Center in downtown Washington DC is PCI compliant, it is actually more safe paying with my credit card than giving cash to some enterprising wage slave who wants to pocket my payment as pure profit. I trust that Verizon Center’s PCI compliance will protect me.
Trust is essential in the business word. If your customers don’t trust you or feel that working with you is risky, they won’t be customers very long. If your business records or customer files or credit card invoices and receipts get stolen, whether it’s physical documents or electronically stored data, the first critical business ingredient you lose is trust. Once gone, it’s almost impossible to regain. If you are PCI compliant however, you have certain automatic protections from liability that non PCI compliant merchants don’t have. Some of these measures may prevent the actual fraudulent abuse of the stolen data and in doing so, save your customer and their trust in you.
If your business isn’t PCI compliant, you are jeopardizing your livelihood. See our home page for information on how you can be PCI compliant. Best off, it’s absolutely free.
The PCI DSS (payment card industry data security standard) is a set of goals and requirements intended to guide merchants and financial services companies to the highest standards of network and data security. The PCI DSS was created from the template of Visa’s CISP (cardholder information security program) to contend with the rising incidence of credit card and identity fraud in a world that becomes more technologically advanced with each passing day. I keep my finger on the pulse of the electronic payments industry and employ the strongest personal protections for my and my family’s sensitive personal data, or I wouldn’t be writing this blog, preaching to the masses about their data security shortcomings. But I was recently almost the victim of fraud in a way I never could have predicted.
I took my four year old daughter to downtown Washington DC to the Verizon Center to see a live theatrical production of How to Train Your Dragon a few weeks ago, and it was fine, though in hindsight we ended up paying too much due to not researching discounts and coupons before our purchase. Though frustrating, agreeing to pay too much, even with your credit card and its built in protections, is not grounds for disputing the charge and is perfectly PCI compliant.
The attempted fraud was perpetrated in the subterranean stadium parking lot owned and operated by the Verizon Center. The fee to park was twenty dollars, also not a crime or violation under PCI compliance requirements, even though it might feel like it. As usual, I whipped out my Visa debit card, which works like either a credit card, requiring a signature for identity verification, or like a debit card, requiring a four digit PIN (personal identification number) code as identity verification. The woman taking fees and passing out parking passes abruptly stated “cash only” as I pulled out my wallet. I said nothing, mouth partway open, stunned that a place like the Verizon Center that would gladly take a credit card for everything, from ticket to merchandise to overpriced stadium hot dogs and drinks, halted at the payment options at the point of parking.
After a lot of hemming and hawing on my part, she finally relented and stated that only cash or “debit card” were payment options. I handed her my card relieved, and was handed back a receipt requiring my signature. By definition, this is a credit transaction, not a debit transaction. Only when I thought about it later did I realize that the woman was trying to scam me into giving her cash which she would have then pocketed. Again, the built in security of my credit card gave me the confidence to feel safer paying electronically rather than in cash.
If your business isn’t PCI compliant, it needs to be. See our home page for information on how you can become PCI compliant quickly and easily. Best of all, it’s free, and you can’t ask for more than that.
PCI compliance is not just a requirement, for which the card associations of Visa, MasterCard, American Express, Discover, and JCB will fine you if you are not compliant, but it also benefits you as a merchant. The PCI SSC (payment card industry data security standards council) is an organization hosted and populated by industry insiders and watch dogs whose job it is to see into the future and prevent as yet untried methods of fraud. Part of that job includes compiling data from previous data breaches to find out where the weak spots were that the criminals exploited. While we all hear about large data breaches on the news, not as much reporting happens as to exactly how many compromised accounts have actual fraud committed on them.
This is an important criterion since it puts an actual dollar amount of lost revenue. If there are 1000 compromised credit card account numbers and just one of them is used to buy $1000 worth of merchandise, the direct loss due to fraud is $1000. But if there are 1000 credit card account numbers compromised and each one is used to buy $1000 worth of merchandise, the direct fraud loss is $1000000. Your first and best starting point for mounting a defense against hackers and other types of electronic data fraudsters is the PCI DSS (payment card industry data security standard). Use it as a map to chart your course as you strive towards total network and data protection. I say “strive toward” because ultimately, there is no absolute and infallible protection for any data network. The idea is to continually work towards total network and data security since data security is an ever changing target.
Make sure your business is 100% PCI compliant as soon as possible if you haven’t already. You are literally risking the total destruction of your business for not doing the bare minimum required by the industry to protect yourself and your customers’ sensitive authentication data. PCI free dot com wants you to be PCI compliant to help yourself and by extension the integrity of the entire electronic payments industry. Visit our home page right away and find out how to obtain this vital and mandatory certification quickly, easily, and at absolutely no cost to you. PCI compliance is here to stay. Now is the time to educate yourself and do what is right and necessary. Until next week, be vigilant, be knowledgeable and be safe.
If you read this blog regularly you have heard me mention an entrepreneurial processing service company called Square Up. I have to applaud their innovation and see the benefit of making credit card payments available to anyone with a bank account and a smart phone. The problem with comes with their handy dandy portable card reader device. The PCI DSS (payment card industry data security standard) dictates that to be PCI compliant data sent over an open public network like the internet must be encrypted. This is found under PCI DSS Requirement 4: Encrypt transmission of cardholder data across open, public networks.
Encryption is a security method that translates the data into a set of alternate, unrelated characters while it’s being transmitted. If the data is intercepted, as it easily can be with store bought radio monitoring equipment and a little electronics savvy, it is useless without the proper decryption key. There are of course many levels or layers of encryption, and as hackers continue to defeat the latest encryption standards, the standard for true data security is constantly being upgraded. The Square card reader device does not encrypt cardholder data to the standard set by the PCI DSS.
If you use this non-compliant device, you are putting your customers’ sensitive authentication data at risk. This in turn puts your business at risk. A recent article in Digital Transactions magazine predicts that with the propitious rise in wireless technology usage for electronic payments, that hackers and other cyber criminals will be having a field day with all of the opportunities to intercept exploitable data. The article refers to Square as having “passed out boatloads of card readers for smart phones that transmitted card holder data in the clear.”
I still don’t know why the PCI SSC (payment card industry security standards council) hasn’t put the kibosh on the distribution of these devices, but they may just put the onus on the user to not use a device that’s not PCI compliant. The goals set forth in the PCI DSS are your road map towards protecting your and your customers’ data security. See our home page for information on how your company can be PCI compliant for absolutely free.