PCI Free Blog

Breach Liability Assessment

PCI compliance is not just a requirement, for which the card associations of Visa, MasterCard, American Express, Discover, and JCB will fine you if you are not compliant, but it also benefits you as a merchant. The PCI SSC (payment card industry data security standards council) is an organization hosted and populated by industry insiders and watch dogs whose job it is to see into the future and prevent as yet untried methods of fraud. Part of that job includes compiling data from previous data breaches to find out where the weak spots were that the criminals exploited. While we all hear about large data breaches on the news, not as much reporting happens as to exactly how many compromised accounts have actual fraud committed on them.
This is an important criterion since it puts an actual dollar amount of lost revenue. If there are 1000 compromised credit card account numbers and just one of them is used to buy $1000 worth of merchandise, the direct loss due to fraud is $1000. But if there are 1000 credit card account numbers compromised and each one is used to buy $1000 worth of merchandise, the direct fraud loss is $1000000. Your first and best starting point for mounting a defense against hackers and other types of electronic data fraudsters is the PCI DSS (payment card industry data security standard). Use it as a map to chart your course as you strive towards total network and data protection. I say “strive toward” because ultimately, there is no absolute and infallible protection for any data network. The idea is to continually work towards total network and data security since data security is an ever changing target.
Make sure your business is 100% PCI compliant as soon as possible if you haven’t already. You are literally risking the total destruction of your business for not doing the bare minimum required by the industry to protect yourself and your customers’ sensitive authentication data. PCI free dot com wants you to be PCI compliant to help yourself and by extension the integrity of the entire electronic payments industry. Visit our home page right away and find out how to obtain this vital and mandatory certification quickly, easily, and at absolutely no cost to you. PCI compliance is here to stay. Now is the time to educate yourself and do what is right and necessary. Until next week, be vigilant, be knowledgeable and be safe.

Posted in PCI Compliance, Risk Management, Sensitive Data Storage | Leave a comment

Beware of the Square

If you read this blog regularly you have heard me mention an entrepreneurial processing service company called Square Up. I have to applaud their innovation and see the benefit of making credit card payments available to anyone with a bank account and a smart phone. The problem with comes with their handy dandy portable card reader device. The PCI DSS (payment card industry data security standard) dictates that to be PCI compliant data sent over an open public network like the internet must be encrypted. This is found under PCI DSS Requirement 4: Encrypt transmission of cardholder data across open, public networks.
Encryption is a security method that translates the data into a set of alternate, unrelated characters while it’s being transmitted. If the data is intercepted, as it easily can be with store bought radio monitoring equipment and a little electronics savvy, it is useless without the proper decryption key. There are of course many levels or layers of encryption, and as hackers continue to defeat the latest encryption standards, the standard for true data security is constantly being upgraded. The Square card reader device does not encrypt cardholder data to the standard set by the PCI DSS.
If you use this non-compliant device, you are putting your customers’ sensitive authentication data at risk. This in turn puts your business at risk. A recent article in Digital Transactions magazine predicts that with the propitious rise in wireless technology usage for electronic payments, that hackers and other cyber criminals will be having a field day with all of the opportunities to intercept exploitable data. The article refers to Square as having “passed out boatloads of card readers for smart phones that transmitted card holder data in the clear.”
I still don’t know why the PCI SSC (payment card industry security standards council) hasn’t put the kibosh on the distribution of these devices, but they may just put the onus on the user to not use a device that’s not PCI compliant. The goals set forth in the PCI DSS are your road map towards protecting your and your customers’ data security. See our home page for information on how your company can be PCI compliant for absolutely free.

Posted in Uncategorized | Leave a comment

Why Won’t Merchants Take Security Seriously?

I know, I know, I’m starting to sound like a broken record. If you read this blog regularly you constantly hear me harping on and on about the complacency exhibited by your typical small business. The PCI DSS (payment card industry data security standard) has been around coming up on five years now. It is impossible not know about the rising incidence of identity theft and other types of electronic fraud that effect people around the world. Making sure your business meets the standards of the PCI DSS and maintaining your business’s PCI compliance is your duty, and your contribution to the integrity of the electronic payments systems as a whole.
Some industry observers suggest that, as a group, merchants are dragging their heels to ramp up their data security because consumers are also complacent in the safety of their personal data. Both consumers and merchants feel that the current inherent security measures that are in place are enough to protect them from identity theft, loss of personal data, or other electronic fraud. The fact is that last year almost 5% of adults living in the United States experienced some sort of fraud related to identity theft, according the 2011 Identity Fraud Report from Javelin.
The report also found an average loss per incident of $240 for consumers victimized by fraud. In cases where a consumer debit card was attacked, the average loss was $141. However, in cases where a consumer credit card account was attacked, the average loss was $306. While many criminal attacks on consumer credit or debit cards are certainly due to the negligence of the consumers themselves, a large portion of the blame rests squarely on the shoulders of financial institutions and merchants that seemingly refuse to believe that data security is as important as physical security for business.
If your business isn’t PCI compliant, you are not only putting yourself at increased risk, you are dragging your customers along with you. Visit our home page to find out how your business can be PCI compliant today. And best of all it is free.

Posted in PCI Compliance, PCI DSS and PA-DSS, Sensitive Data Storage | Leave a comment

The PCI DSS Can’t Be Ignored

Accurate risk assessment is a mainstay of the financial services industry. When you open a checking account, apply for a mortgage loan or auto loan, or for a line of credit on a credit card, you cease to be a human being and become a computer generated number for the purpose of evaluating the risk of extending you credit or issuing you a check book. That’s one purpose of the PCI DSS (payment card industry data security standard), to reduce the overall risk and liability that your customers’ sensitive authentication data being stolen and exploited. If you aren’t PCI compliant, you are putting your customers at needless risk, and there by your business as well.
When I was young, computers were still new. In fact, the “microcomputer,” which is the progenitor of today’s personal computer (PC), was a recent technological advancement. There was no internet. There were no hackers. There was no threat of a computer mastermind delving in to your most personal data. Prior to the microcomputer, computers were massive constructs that took up a whole room, if not a whole building, depending on its job. The only big fear about them then was that something would short circuit like in Fail Safe and cause an accidental missile launch against the Russians. Then in the 80, my childhood, there was this move starring Matthew Broderick and Ally Sheedy called War Games where a brilliant but delinquent high school student unwittingly stumbles upon a modem line that has access to the Department of Defense’s supercomputer that controls nuclear missile launches.
And this is when the citizens of the world began to fear the aforementioned computer mastermind, wresting control of a country’s infrastructure from a safely remote location, and bring the authorities to their knees. But this kind of threat was still fantastical, and not something that really seemed possible. Well that time is over. These days we live with the very real threat the current computer security methods will be overridden by someone with malicious intent.
Another purpose of PCI compliance is to provide a guidebook for merchants to start learning why they must protect themselves and their customers and how to do it most efficiently and completely. See our home page for detail on how to make your business PCI compliant, absolutely free.

Posted in PCI Compliance, PCI DSS and PA-DSS, Risk Management, Sensitive Data Storage | Leave a comment

PCI Compliance – Industry Mandate Today; Federal Law Tomorrow

This really shouldn’t come as a surprise to anyone out there, but in case you didn’t anticipate it: the United States Congress (our legislative branch of government) is working on a bill to make failure to protect your and your customers’ information a possible felony. Today, the PCI DSS (payment card industry data security standard)
Republican Senators at the federal level have introduced a legislative draft for the purpose of codifying a national standard for data breach reporting. The bill has been nicknamed the Data Security and Breach Notification Act of 2012. The legislation, initially presented by Senator Pat Toomey (R-PA), is also being cosponsored and authored by Senator Olympia Snow (R-ME), Senator Jim DeMint (R-SC), Senator Roy Blunt (R-MO) and Senator Dean Heller (R-NV). The current draft of the bill would include a requirement for all businesses and government agencies to “take reasonable measures to protect and secure data in electronic form containing personal information.” Once signed into law, the FTC (federal trade commission) would be charged with enforcing the law. Sources indicate that organizations found to be in violation of the new legislation could face fines in excess of a half million dollars!
That’s a frightening figure. But really if you think about it, this was inevitable. The industry created the PCI DSS as a response to an emergent need in a world of increased reliance on technology and essential need for security. It started with Visa’s CISP (cardholder information security program) way back in June of 2001. Visa foresaw the need for a standard of security to combat the rising incidence of cyber theft and hacking worldwide. The program was visionary and preemptive in its attempts to counteract data theft.
Now that federal legislation is catching up with the industry, let the merchant beware. It’s not just the right thing to do and the conscientious thing to do and the smart thing to do. It is now the law. Do your civic duty and get PCI compliant now. Visit our home page to find out how achieve PCI compliance for your business for free.

Posted in Uncategorized | Leave a comment

PCI Compliance Weak Link is Level 4 Merchants

PCI compliance isn’t a joke people. It isn’t a new “tax” perpetrated by the payment card industry. The PCI DSS (payment card industry data security standard) is an industry movement towards tighter network security. Becoming PCI compliant not only helps protect your customers but also helps protect the integrity of the electronic payments industry on the whole. And not least importantly, making yourself PCI compliant helps protect your business. This often includes data breach coverage insurance that will offset your expenses if you do become the victim of a data breach. If you aren’t PCI compliant and a breach occurs where customers’ sensitive authentication or personal data has been compromised, you will find yourself in an extremely delicate and costly situation.
Industry researchers along with computer network security companies and security software developers continue to find that level 4 merchants, or what you think of as a small business (level 4 merchants process less than 20,000 transactions per year), are by far the weakest link in the chain of network data security. A breach, no matter how small, can result in the death of your business due to the aforementioned costly fines. There is also the expense of multiple required investigations performed by card association representatives as well as outside investigators. Not as salient as the high cost in the aftermath of a data breach is the severe brand and reputation damage. Even if you can afford the fines and fees, the loss of customer traffic due to loss of trust can be the final nail in your coffin.
Verizon published its Data Breach Investigations Report in 2012 in which they examined 855 individual breach incidents that collectively affected on the order of 174 million records that were compromised. This next statistic is just depressing. Verizon found that “96% of the attacks were not highly difficult,” and, worse yet,”97% of breaches were avoidable through simple or intermediate controls.” Small businesses are actually a far more common quarry since, as Verizon says, “target selection is based more on opportunity than on choice.” What this is saying in so many words is: it is highly likely that if the victims in these situations had just follow the basic PCI DSS protocols, they wouldn’t have been attacked at all. The opportunistic small-time hacker would have just moved on to the next complacent, unprotected merchant.
Stop putting it off! PCI compliance is real, real important, and here to stay. See our home page to find out how you can complete this mandatory requirement at absolutely no cost. Become PCI compliant today, for free!

Posted in PCI Compliance, Sensitive Data Storage, Wireless Technology Security | Leave a comment

PCI – Please! Comply Already!

If you read this PCI Compliance advocacy blog regularly you may notice that it tends to focus mainly on the typical small business. The PCI DSS (payment card industry data security standard) was created along with the PCI SSC (payment card industry security standards council) to improve the integrity of the electronic payments system as a whole. This can only be effectively accomplished if literally every merchant processing electronic payments proactively strives to be PCI compliant. By this I mean to approach PCI compliance in the spirit of the initiative, not just the letter of the requirement.
Small business owners, known in industry jargon as “level 4” merchants, continue to be the weak link in the in the chain of sensitive authentication data security. Incredibly, recent studies are continuing to find that level 4 merchants are still largely unaware of their own vulnerability to cyber attacks. Those who are aware of their vulnerability still exhibit inordinately low concern about this known vulnerability. Hopefully you non-PCI compliant merchants out there know that a data breach doesn’t just mean your customers whose information was stolen have to be alert now that their card numbers or other sensitive authentication data is out there. There are fees-per-account that has been compromised. There will be multiple investigations that you pay out of pocket when a breach occurs and the merchant isn’t PCI compliant. And don’t forget all of the lawyers that will inevitably be involved in matters of this nature. Who do you think pays for their time? The card associations don’t pay a dime, nor do the banks whose customers’ cards were stolen, you pay. You pay and pay and pay, and if you aren’t drained into bankruptcy by that, you very well may have lost a sizeable portion of your customer base. And even then, the damage to your company’s brand image and reputation will surely deter many future customers for a long time to come.
It’s time to stop pretending that it’s not going to happen to you. It happens to someone, many people in fact, on a daily basis. So if your business is not PCI compliant yet, and I think I’ve said this before, you are fooling yourself. It’s not whether or not a perusing hacker will check you out and rob you at some point, but when will they. If you want the peace of mind that comes with being PCI compliant, check out our home page where you can obtain PCI compliance for your business. Best of all it is absolutely free.

Posted in PCI Compliance, Risk Management, Sensitive Data Storage | Leave a comment

PCI Compliance is Essential Even For Low-Tech Merchants

PCI compliance is not required as a punishment for merchants, adding another tedious task to your list of responsibilities. The PCI DSS (payment card industry data security standard) was not developed as an attempt to frustrate and confuse business owners and merchants to make the day more stressful. It was developed because business owners and merchants simply are not concerned enough about data security. As I said, the idea isn’t to increase your stress level, but if your stress level with regard to data security is hovering near zero, then something is wrong.
You say you don’t even use a computer at your business, don’t store credit card numbers in paper or electronic format? Well that’s great in the sense that not having a computer network with sensitive authentication or other customer data that can be stolen by a cyber thief does indeed greatly reduce your exposure to certain types of data theft. But does that mean you don’t have to bother with making sure your business is PCI compliant? Since your business records are all on paper and you are very small anyway and don’t do a lot of credit card volume, you think you are protected by being to small to be noticed or targeted by a cyber criminal? Think again! Your very complacency and slight regard for the import and necessity of the PCI DSS are what makes you a prime target for data thieves.
It is a natural human tendency to only focus on the big stories where gigantic banks or other financial services companies are breached by teams of high-tech criminally minded hackers that we see on the news. These types of huge breaches are perpetrated by super advanced computer programmers, usually in concert with others, and are carefully planned and timed for maximum effect. But the percentage of cyber criminals with that level of skill and the right contacts is infinitesimally small. The vast majority of cyber thieves are of average or below average skill & have not got the time, inclination or (as I mentioned) proper skills to orchestrate large scale data theft. Just like the rest of us, the typical hacker is lazy (otherwise they might try their hand at an honest living) and your cute little mom and pop operation is just the right size and oh so much easier a target, especially if you aren’t PCI compliant.
PCI compliance is required for any merchant processing any credit cards, regardless of volume, but it also just makes good sense. See our home page for information on how you can protect your business by becoming PCI compliant. Best of all, it’s free!

Posted in PCI Compliance, Risk Management, Sensitive Data Storage | Leave a comment

Risk Assessment Priorities Out of Whack for Level 4 Merchants

If you read the PCI Free Blog regularly, you might by now be familiar with my constant caterwauling about my frustration that merchants are still not taking PCI compliance seriously. It’s been over 3 years since the PCI DSS (payment card industry data security standard) was officially released and made mandatory. It was developed using Visa already existing (but not required) CISP or cardholder information security program way back in 2008. If process credit cards and you’re not PCI compliant by now, my feeling is that you’re either deliberately foolhardy or, possibly more confounding, somehow ignorant of the very real and hazardous risks you face on a daily basis.
I came across an interesting article among the industry publications I keep abreast of, pertaining to the disproportionate view small business owners seem have with regard to data security and the everyday inherent risks associated with merchant processing. These common attitudes may lend some insight as to why small business owners still view PCI compliance with skepticism. Last year in November a major PSP (privacy seal provider ) completed and published its third yearly survey of trends found among level 4 merchants. The survey was conducted in partnership with an established PSE (payment settlement entity) and comprised of 621 level 4 merchant responses.
It seems my personal malicious feelings toward those still refusing to be compliant weren’t founded. The survey found three essential root factors that are thought to contribute to a general lackadaisical attitude towards PCI compliance. The first factor is that the risk of financial loss seems not to be a large motivating factor for merchants to actively adhere to the PCI DSS. The second finding of the survey was that, while a minority of level 4 merchants, still a large number of small business owners out the seem to think that adhering to the goals of PCI compliance does nothing to enhance their data security. Finally, the third most salient finding is that, discouragingly, there has been little increase of PCI compliance understanding with regard to Level 4 merchants.
There are no two ways about it, if you’re not PCI compliant, you are putting your customers and your business at risk. A judge will tell you that ignorance of the law is not a defense. Ignorance of PCI will potentially cost you, big time. Don’t ignore anymore! See our home page to find out how to become PCI compliant for free!

Posted in PCI Compliance, PCI DSS and PA-DSS, Sensitive Data Storage | Leave a comment

Level 4 Merchants Need to be PCI Compliant Now More Than Ever

I know this blog might seem repetitive from time to time as I endlessly natter on about the importance of PCI Compliance for everyone. I try to impress upon the reader the reality that, while you only hear about the really gigantic data breaches involving large financial services or retail industries, that doesn’t mean thousands of small merchants aren’t targeted and victimized every year as well. If you’ve ever heard the term “level 4 merchant” and you’re a small business, they’re talking about you. A level 4 merchant is a business that takes fewer than twenty thousand ecommerce transactions or fewer than or equal to one million credit card transactions (of any type) in one year. Level 4 merchants have been shown to be largely ignorant of the measures to be taken for sensitive authentication data protection according to a series of studies. The studies also show that in addition to not knowing the correct security measure, small business owners appear to be very unrealistic about the impact a data breach could have on their business. Taking the time to become PCI compliant and implementing a plan to maintain PCI compliance will not only protect your customers’ information and by default your business’s ability to thrive.
A merchant whose stored sensitive authentication data is compromised can expect to pay multiple expensive fines and other penalties. They can expect a large legal bill and added costs of stolen information recovery and card replacement costs. And for sure, perhaps least considered with all the loss of revenue they’re worried about, is the irreparable damage to your company’s brand and reputation. Once these intangibles have been broken, the resulting loss of customers quite literally puts you out of business.
Verizon published their 2012 Data Breach Investigations Report where they claim that of the 855 breach incidents worldwide, ninety six percent of attacks were not highly sophisticated. Even more telling is the fact that ninety seven percent of the breaches could have been prevented using low to moderate security controls. You can take this to mean that by following just the most basic goals set forth in the PCI DSS (payment card industry data security standard) and keeping up periodically with your PCI compliance is enough to stop your every day run of the mill hacker and convince them to look for someone who still isn’t PCI compliant yet. If your business isn’t PCI compliant yet, see our home page for information on how you can become PCI compliant for free.

Posted in PCI Compliance, PCI DSS and PA-DSS, Sensitive Data Storage | Leave a comment