PCI Free Blog

PCI DSS and the Target security breach—What it means for small business

The recent data breach at Target stores has much of the country keeping a closer eye on their bank statements and wondering how such a thing could happen. The event will resonate throughout the entire industry and changes in the Payment Card Industry Data Security Standards are almost a sure thing. The closest historical comparison to this breach was 2005when 45.6 M card numbers were stolen from TJ Max Stores, this resulted in a settlement of $9.75M and opened the eyes of the Payment Card Industry to the vulnerability of its sensitive data. In that case TJ Maxx was not compliant with 9 of the 12 PCI Security Standards for encryption and storing cardholder data. Let’s take a look at the current standards to see if there is anything Target did (or should have done) to prevent such an enormous data breach. Potentially noncompliant areas are in bold.

1. Install and maintain a firewall configuration to protect cardholder data

2. Do not use vendor-supplied defaults for system passwords and other security parameters

3. Protect stored cardholder data

4. Encrypt transmission of cardholder data across open, public networks

5. Use and regularly update anti-virus software or programs

6. Develop and maintain secure systems and applications

7. Restrict access to cardholder data by business need-to-know

8. Assign a unique ID to each person with computer access

9. Restrict physical access to cardholder data

10. Track and monitor all access to network resources and cardholder data

11. Regularly test security systems and processes

12. Maintain a policy that addresses information security for employees and contractors

By our count, there are at least seven potential areas where Target could have opened the door for hackers and criminals to get their hands on your sensitive card data. Time will tell what exactly they did wrong, however they did do the right thing by coming forward early. While this is the first data breach in a while, it will certainly not be the last.

What does this mean for small business owners?

  • Get ready for some changes. The PCI board and congress will most likely respond, as such events threaten the industry. It shows us a clear example of just how important PCI Compliance is.
  • While your business might not have millions of customers, any breach of data can be extraordinarily costly. Therefore preparation is important, so make sure that you are compliant.
  • Merchant Service Providers WILL use this event as leverage. Just as they did with the original PCI Mandate, Processing companies will use this event to scare merchants into costly, unnecessary, and ineffective PCI programs. Inform yourself of what PCI compliance exactly does, how your program addresses it, and how much it costs relative to the market (hint: we do it for free!).

Time will tell the true costs of the Target breach, but for now the key takeaway for small businesses will be preparation. If Target had followed the PCI DSS standards, then it is clear that their data would not have been compromised. Stay vigilant and make sure you do not become a target.

Posted in PCI Compliance, Point-Of-Sale Equipment, Risk Management, Sensitive Data Storage | Leave a comment

Time to get serious about PCI Compliance

As the data landscape of our technology world grows more and more complex, it is time to take the PCI compliance of your business more seriously. Often times, Businesses see PCI compliance as just another industry buzz word or opportunity for another hidden fee, but the reality is the security of your business is something important that you need to pay close attention to. Well what can you do then? One simple step is to have a well-defined security policy. This will establish a standard for the way your business operates in terms of handling sensitive data and information. One often overlooked aspect of a security policy is how you interact with vendors and third-parties, or even how they interact with your data. For example, Requirement 8 references this relationship with third-parties:

“Implement two-factor authentication for remote access to the network by employees, administrators, and third parties. Use technologies such as remote authentication and dial-in service or terminal access controller access control system with tokens; or virtual private network with individual certificates.”

The important takeaway here is that everyone who has access to your data treat it securely; When it comes to your data and PCI compliance, it is better to take it seriously now than have to backtrack in the event of a breach.

Posted in Uncategorized | Leave a comment

PCI Compliance – Go Beyond What Is Required.

It’s time for a refresher course on good old fashioned computer common sense regarding security of personal or sensitive authentication data. The PCI DSS (payment card industry data security standard) was created by members of the electronic payments industry as a guide to credit card processing and data storage security for merchants. It is not an all encompassing guide to every aspect of your personal computer and internet security. Most of the responsibility of protecting your own personal identification information and other financial or sensitive authentication data rests with you. Don’t concentrate so hard on being PCI compliant with regard to your business that you ignore all of the other aspects of computer and internet security for yourself. In a world where we rely on electronic forms of communication and data storage more and more every day, we need to understand the inherent risks associated with it and take the proper precautions.
If you are a merchant that maintains your PCI compliance in accordance with the provisions of the PCI DSS, you are already giving your business and your customers the best protection that you can. That takes care of the obvious business information that cyber criminals and hackers are prowling for, but what about all of your other personal information that you don’t normally consider when thinking about making sure you’re PCI compliant.
Please take some time to go over these basic precautions for your personal data. This is take directly from a Visa Inc. newsletter sent to processors:
“Visa has detected an increase in email ‘phishing’ scams directed toward merchants. These scams utilize fraudulent emails that appear to originate from legitimate financial institutions, transaction processors or other business entities that routinely conduct business with merchants.”
“Through these email scams criminals attempt to convince merchants to provide sensitive information such as merchant account information, passwords, login credentials or other payment transaction information, which can be used by criminals to commit fraud.”
“In most of these email phishing cases, the merchant is asked to click on an internet hyperlink embedded in the email. This link connects to the criminal’s fraudulent website or computer server and may lead to the installation of malicious software (known as ‘malware’) on the merchant’s computer.”
Next week we’ll cover the top 6 warning signs that the email in your inbox has the potential to cause you harm. If your business is not PCI compliant as of now, visit our home page to find out how to become PCI compliant quickly, easily and at no charge.

Posted in PCI Compliance, Risk Management, Sensitive Data Storage | Leave a comment

PCI Compliance – Protection for All

For a business to be PCI compliant, they must complete a self assessment questionnaire or SAQ and take the time to follow the procedures and safety measures laid out for their business type. Not every business will have to complete the same version of the PCI DSS (payment card industry data security standard). There are actually four different versions of the SAQ that, depending on the method of processing your business uses, only one of need to be completed per merchant location. Failing to complete an SAQ to make your business PCI compliant however could result in loss of revenue, loss of savings due to industry fines and penalties, loss of customer loyalty and destruction of brand reputation.
Unfortunately, until the advent of the PCI DSS, merchants were in general, lax at best about the security of their and their customers’ sensitive authentication data. When fraud was committed or information stolen, the merchant didn’t used to be liable for the cost. There was always a cost when a crime is committed, and in times past the onus of covering the losses rested with the issuing bank of the card or the card association itself. With the advent of PCI compliance as a minimum required security measure, some responsibility is now shared by the merchants handling the cards and other sensitive authentication data.
Bearing this in mind, if your business is not PCI compliant yet, then you are deliberately putting your business, and consequently, your customers, at great risk. Especially these days when there are so many computer and internet security software products that have been cracked by one hacker or another, it’s just plain foolhardy to act as if you are safe. Consider the seat belts in your car. It would never occur to you to not buckle up, or to not buckle in your children. But when the question of requiring them in cars came up, it was met with ferocious resistance from everyone from the auto manufacturers to the dealers to the consumers. Since Congress mandated that auto manufacturers must install seatbelts to sell a car, countless millions of lives have been saved.
If you ignore the industry requirements for PCI compliance, and continue to operate without regard for your customers’ sensitive authentication data and credit card information, no one will be saved if a computer criminal targets you. You are knowledgeably risking the personal security of every person that uses their bank card at your business. It’s not just about you and your business, but about all businesses and consumers that process or use credit cards. Do your duty, get PCI compliant, and deny the hackers their quarry. Go to our home page to find out how this process can be completed quickly, easily, and most importantly, absolutely free.

Posted in PCI Compliance, Risk Management, Sensitive Data Storage | Leave a comment

More on PCI Compliance and Assessment of Risk

Last week we gave some examples of proper risk assessment and the common pitfalls people fall into when assessing risk with regard to PCI Compliance. I mentioned that people have a natural tendency to overestimate or incorrectly estimate perceived versus actual risk. In his 2003 book, Beyond Fear: Thinking Sensibly about Security in an Uncertain World, author Bruce Schneier analyzes some of the more common risk misconceptions exhibited by average people. A person tends to exaggerate stupendous but very rare risks while at the same time seem unconcerned about the most common and far more routine risks. People worry about a tornado knocking their house down or a flood washing it away while at the same time not worrying at all about potentially slipping in the shower, even though the potential risk of injury in their own bathroom is far far greater.
My parents were always convinced that sickos out there were poisoning kids’ candy and would always scrutinize my sisters’ and my hauls after an evening of trick or treating, looking for hypodermic needle holes, razor blades or evidence of tampering. Their fear was largely based on an article my mother read that warned parents of the potential for injury through Halloween candy. There has never been an actual police report documenting a case of injury or death of a child by eating candy collected on Halloween, it is just an urban myth. Yet, rational, educated, intelligent people are more willing to believe the threat from criminals with candy is greater than the threat of one their kids getting hit by a car.
Part of the reason for my mother’s fear is that like most people she is overly concerned by risks that she sees as personal. Former Soviet Union dictator Joseph Stalin once said something to the effect of: “one death is seen as a tragedy while a million deaths are seen as a nothing but a statistic.” He was right of course. It’s one thing to hear about a bunch of people you don’t know checking out, yet quite another when it’s just one person that you knew.
Don’t make this mistake with regard to PCI compliance. If you think that data breaches are just news reports affecting a bunch of nameless faceless people, think again. PCI compliance is required and is the best defense you can provide to your customers and your business. See out home page to find out how you can make your business PCI compliant today. It’s easy, and most importantly, it is free.

Posted in PCI Compliance, PCI DSS and PA-DSS, Risk Management | Leave a comment

PCI Compliance and Assessment of Risk

If you read this blog regularly you know that I’ve counseled readers on proper assessment of risk. The PCI DSS (payment card industry data security standard) is there to provide a guide or map for merchants to follow in order to protect the integrity of their network and hard copy data security. You might think that, since it’s so important and the PCI SSC (payment card industry security standards council) has done all the hard thinking, statistical compilation, and best procedure figuring, that merchants would be glad to take the final step of making sure their business operates in accordance with PCI compliance. Making your business PCI compliant is the best way to protect your customers’, and in doing so your, sensitive authentication and personal data.
The problem with convincing merchants to take PCI compliance seriously is rooted deeply in the human psyche. It is just a natural human foible that we tend to grossly overestimate the risk of something terrible but highly unlikely happening to us. For instance, broach the subject of shark attacks with any group of beach goers and you’re likely to hear a lot of inordinate fears of becoming a big fish’s dinner. Make the mistake of reading Peter Benchley’s Jaws close to or during a beach trip, and you can ratchet up that irrational fear to super high levels.
The truth is, there are less than a dozen reported shark attacks per year in the United States for the last ten years running, with the annual total less than 5 reports in the majority of those years. But the same people who’s nightmares are plagued with sharks, blithely get behind the wheel of a car without a thought about the fact that tens of thousands of people are killed in cars every year. Are they, or you, afraid of driving a car? I’m not afraid of it at all, but statistically, driving is far more risky than swimming in the ocean where sharks and other predators live.
So if you’re not PCI compliant yet, and you think you’re safe from thieves and hackers, think again. There are inherent risks that go along with processing credit cards. Following the goals and procedures outlined in the PCI DSS is your best defense against theft or fraud. The thieves are definitely out there, are you definitely doing all you can to protect your customers’ information? See our home page for information on how you can make your business PCI compliant easily, and at no cost.

Posted in PCI Compliance, Risk Management, Sensitive Data Storage | Leave a comment

PCI Compliance – Protection Should be Free

The purpose of this blog is to spread knowledge and information about the PCI DSS, which stands for: Payment Card Industry Data Security Standard. It is a set of goals and procedures, mandated by the card associations. The card associations include: Visa Incorporated, MasterCard International, Discover Novus, American Express, and the Japanese Card for Business. Together, they adopted and expanded Visa Incorporated’s CISP or Cardholder Information Security Program into a frame work for merchants and processors to follow to provide the best protection for the sensitive authentication data they possess. As a condition of the payment card industry’s equivalent of the good house keeping seal of approval, all merchants and processors that processes, transmit or store sensitive authentication data must be PCI compliant, and must maintain their PCI compliance or face penalties.
Despite its obvious necessity and the security it offers, merchants and processors still aren’t motivated to be PCI compliant for the good of the electronic payments industry. Processors are charged with making sure their merchants are PCI compliant and must be PCI compliant themselves. Achieving system wide PCI compliance is a daunting task at best, and is only done through diligence and a great expense in revenue and time. Many processors pass the cost of doing business in a safe and secure environment on to the very merchants they’re responsible for safeguarding.
At PCIfree.com we feel that the basics of security should not cost anything but the time needed to implement the necessary procedures and safeguards. The PCI DSS and the goals and procedures it requires are common sense and increase the safety of all consumers, as long as everyone participates, that is. If your business isn’t PCI compliant and you transmit, process or store sensitive authentication data, you put yourself and those whose information you handle in the course of daily business at greater risk than if your business is PCI compliant. See our home page for information on how your business can be PCI compliant, for free.

Posted in PCI Compliance, Sensitive Data Storage, Wireless Technology Security | Leave a comment

Mobile Wallets and PCI Compliance

The PCI DSS (payment card industry data security standard) and PCI compliance, while a product and process with origins in the electronic payments industry can and must be applied to devices that participate in the electronic payments process. There is a new trend in the ever changing world of electronic payments and sensitive authentication data security. The electronic or “mobile wallet” is a new product being offered to users of mobile phones and other mobile broadband capable devices. It sounds great and is intended to eliminate the plastic electronic payment cards we currently carry in a wallet or pocket book. The product’s designation as a mobile wallet is a little inaccurate since it doesn’t replace your ID, insurance card, or cash for those merchants who don’t take credit cards. But aside from the convenience to you of having your mobile wallet in your mobile smart phone, is it also convenient for computer hackers and fraudsters bent on stealing your sensitive authentication data?
To simply trust that the smart phone application manufacturers and vendors are making sure that their products meet the standards of the PCI DSS and adapt to as yet unforeseen threats and vulnerabilities. It would be unconscionable for a software or hardware company to deliberately market a non PCI compliant device without apprising the customer of the risks associated with using their products, but how about accidentally. Apple products and Android products both contain virus protection and standard security measures, but whose job is it to make sure that the data transmitted across an open public network like the internet meets PCI compliance standards in addition to their own? Or do they operate under some other, internal set of parameters unknown to the public and conceived in the interest of the company stockholders?
I have spoken many times in this blog about the glaring risks associated with the use of the electronic swiper being distributed in enormous quantities by Square Up. The PCI DSS mandates that any device transmitting sensitive authentication data wirelessly or across an open public network, such as the internet, employ the protection of strong cryptographic encryption. In this instance, intercepted data would be completely useless without the correctly encoded decryption key. Don’t blindly trust your mobile wallet provider without first doing your due diligence to verify the compliance of all the parties involved. See our home page for more on PCI compliance and why it is important to you.

Posted in PCI Compliance, PCI DSS and PA-DSS, Point-Of-Sale Equipment, Wireless Technology Security | Leave a comment

PCI Compliance for Everyone’s Data Security

Last week I spoke about my parking experience at the Verizon Center for the live theatrical production of How to Train Your Dragon and I mentioned how confident I was, and still am, paying electronically in that situation instead of cash. I felt more protected knowing that there would be an electronic record of my purchase as opposed to the anonymity of a cash payment because of my confidence that an organization like the Verizon Center would be PCI compliant. The PCI DSS (payment card industry data security standard) is a set of goals and procedures that dictate best practices and sensitive authentication data protection measures for merchants and credit card processors. Of all of those whom the industry requires to be PCI compliant, only a fraction of them are actually required to be compliant.
And that is in fact, part of the beauty of what I’m trying to convey here. What I mean to impress upon the reader today is this: making sure your business meets the requirements set forth in the PCI DSS protects not only you and your business, but also your customers, and in turn, the integrity of the entire electronic payments industry as a whole. As a consumer I, and all consumers, rely on the PCI DSS to protect the security of our personal and financial data. As long as The Verizon Center in downtown Washington DC is PCI compliant, it is actually more safe paying with my credit card than giving cash to some enterprising wage slave who wants to pocket my payment as pure profit. I trust that Verizon Center’s PCI compliance will protect me.
Trust is essential in the business word. If your customers don’t trust you or feel that working with you is risky, they won’t be customers very long. If your business records or customer files or credit card invoices and receipts get stolen, whether it’s physical documents or electronically stored data, the first critical business ingredient you lose is trust. Once gone, it’s almost impossible to regain. If you are PCI compliant however, you have certain automatic protections from liability that non PCI compliant merchants don’t have. Some of these measures may prevent the actual fraudulent abuse of the stolen data and in doing so, save your customer and their trust in you.
If your business isn’t PCI compliant, you are jeopardizing your livelihood. See our home page for information on how you can be PCI compliant. Best off, it’s absolutely free.

Posted in PCI Compliance, Risk Management, Sensitive Data Storage | Leave a comment

PCI Compliance in a World of Fraudsters

The PCI DSS (payment card industry data security standard) is a set of goals and requirements intended to guide merchants and financial services companies to the highest standards of network and data security. The PCI DSS was created from the template of Visa’s CISP (cardholder information security program) to contend with the rising incidence of credit card and identity fraud in a world that becomes more technologically advanced with each passing day. I keep my finger on the pulse of the electronic payments industry and employ the strongest personal protections for my and my family’s sensitive personal data, or I wouldn’t be writing this blog, preaching to the masses about their data security shortcomings. But I was recently almost the victim of fraud in a way I never could have predicted.
I took my four year old daughter to downtown Washington DC to the Verizon Center to see a live theatrical production of How to Train Your Dragon a few weeks ago, and it was fine, though in hindsight we ended up paying too much due to not researching discounts and coupons before our purchase. Though frustrating, agreeing to pay too much, even with your credit card and its built in protections, is not grounds for disputing the charge and is perfectly PCI compliant.
The attempted fraud was perpetrated in the subterranean stadium parking lot owned and operated by the Verizon Center. The fee to park was twenty dollars, also not a crime or violation under PCI compliance requirements, even though it might feel like it. As usual, I whipped out my Visa debit card, which works like either a credit card, requiring a signature for identity verification, or like a debit card, requiring a four digit PIN (personal identification number) code as identity verification. The woman taking fees and passing out parking passes abruptly stated “cash only” as I pulled out my wallet. I said nothing, mouth partway open, stunned that a place like the Verizon Center that would gladly take a credit card for everything, from ticket to merchandise to overpriced stadium hot dogs and drinks, halted at the payment options at the point of parking.
After a lot of hemming and hawing on my part, she finally relented and stated that only cash or “debit card” were payment options. I handed her my card relieved, and was handed back a receipt requiring my signature. By definition, this is a credit transaction, not a debit transaction. Only when I thought about it later did I realize that the woman was trying to scam me into giving her cash which she would have then pocketed. Again, the built in security of my credit card gave me the confidence to feel safer paying electronically rather than in cash.
If your business isn’t PCI compliant, it needs to be. See our home page for information on how you can become PCI compliant quickly and easily. Best of all, it’s free, and you can’t ask for more than that.

Posted in PCI Compliance, Sensitive Data Storage | Leave a comment