For the last few weeks our blog about PCI compliance has been covering the tedious and unpleasant experience of the procedures to use following a data security breach. We have gone over the immediate response and countermeasures to use for minimizing further exposure or further data compromise. We have also almost finished what to do and who to contact in the aftermath of a data breach following the immediate breach containment procedures. In this week’s piece we will cover the additional procedures necessary if your compromised information includes PIN (personal identification number) information. Since PIN debit processing is handled using a completely separate authorization system on the back end, there are special procedures pertaining to it.
But before we get into that, I want to remind everyone why we are covering this and why it is so important. Especially so if you still think you are protected based on nothing more than your business type or thinking you are too small to be considered a worthy victim by a data thief. Stop thinking that immediately. Even though your business may be too small to be a big incentive to a hacker, your customers’ information is what the hacker is actually stealing, not money from your till. The reason to be PCI compliant and to maintain your PCI compliance is for the protection of your customers’ information (and subsequently the integrity of the payment card system as a whole) and by extension, the potential loss of patronage, as well as reputation.
As your contracted PFI (payment card industry forensic investigator) conducts his or her investigation, it is important to remember that they must determine whether your business was compliant with the thirty two PCI PIN security requirements. These requirements can be viewed at: www.visa.com/pinsecurity. (Remember, this is just the url, not a link. You can copy and paste the address into the search window of the internet browser of your choice). This part of the investigation only applies if you process PIN based debit transactions. If you are unsure whether any PIN numbers were compromised, your PFI will perform a PIN security and key management investigation and a PCI PIN security investigation.
There will be more on this next week. If your business isn’t PCI compliant, you are playing with fire. See our homepage to find out how you can obtain PCI compliance for your business, for free!