If you process credit cards you have to be PCI compliant because the industry requires it. A startling number of businesses still are not taking PCI compliance seriously because it just seems like a bunch of technical mumbo-jumbo & doesn’t make a lot of sense. This is where your personal responsibility comes into play. It may take just the slightest effort you could find out what it really means and why I keep writing about how important and serious the PCI DSS (payment card industry data security standard) really is.
An ABC news outlet reported on a video released by al Qaeda leadership that called for devout Muslims to wage an electronic jihad against the United States and Western Europe. In the video, the speaker makes comparisons between computer American network vulnerabilities and flaws that existed in aviation security prior to the September 11th attacks. The FBI got hold of this video last year and was recently released by the Senate Committee on Homeland Security and Governmental Affairs. The speaker in the video calls upon radical Islamists to launch cyber attacks focusing on critical infrastructure and vulnerable computer networks. The video also suggests attacks on the electrical grid. Now do you think, just maybe, that the severity and urgency of the PCI DSS is something you need to address if you haven’t already?
Homeland Security and Governmental Affairs Committee Chairman Joe Lieberman (I-Conn.) said in a statement: “This is the clearest evidence we’ve seen that al Qaeda and other [Muslim] terrorist groups want to attack the cyber systems of our critical infrastructure.” Sen. Susan Collins (R-Maine), a ranking member on the committee says that, “This video is troubling as it urges al Qaeda adherents to launch a cyber attack on America.” National security experts warn that the threat of an attack by cyber terrorists is quite real and that the tools required to perpetrate the kinds of attacks they aspire to are nearly within their grasp.
This bodes not well for the misguided business owner processing credit cards or other sensitive authentication data who are still not PCI compliant. PCI compliance is real and essential. Get PCI compliant. Do it now, today. See our home page to find out how your business can be PCI compliant quickly, easily and, best of all, absolutely free of charge. It’s worth your time.
If you have been keeping up with our blog recently you’ll remember that last week I discussed the inherent vulnerabilities of non-PCI compliant peripheral devices. In particular the mobile MSR (magnetic stripe reader) devices being provided by a merchant processing service provider called Square Up. The free and convenient device is easy to use and an attractive payment solution for many budding entrepreneurs and e-bay hobbyists. What the customer isn’t told however is that the device does not comply with the PCI DSS (payment card industry data security standard) requirement regarding data encryption.
Strong data encryption measures are essential for wirelessly transmitted information due to its sensitive nature. Devices with easily defeated or compromised data encryption software put both the merchant and the cardholder at unnecessary risk. The fact of the matter is this: whether you see them or not, hear about them or not, the cyber world is teeming with thieves and opportunists looking for someone careless to take advantage of. And the criminals are getting more skilled, efficient and invisible as time goes on. All of the IT security and electronic payments industry experts agree without dissent on one sure fact, namely that computer and information security incidents are on a steady rise.
PCI compliance for your business is not only your obligation if you process electronic payments; it’s your duty as a responsible merchant and fellow hardworking American to perform the due diligence of sensitive authentication data protection. Becoming PCI compliant and regularly monitoring and maintaining PCI compliance benefits your business, your customer, and the overall integrity of the entire electronic payments system.
Will Square Up recognize the importance of the PCI compliance protocols before some kind of large scale, cooperative, synchronized data theft is perpetrated? One can only speculate about such matters. One does not need to speculate, now that you’ve read these words and know better, whether or not the use of non PCI compliant devices is worth the risk.
See our homepage to find out how to officially validate your PCI compliance absolutely free.
A new type of processing service company is blazing new trails in mass credit card processing availability. This opens up a whole new world of payment options to those who previously could only be paid in cash or checks. There are millions of honest, hardworking, law-abiding people out there trying to make a fast buck in our ever-changing economy, and companies like Square Up do make it possible for the non-business owner to take credit cards without doing the full underwriting required for the type of account that is setup for a retail type business. Unfortunately the device that Square Up provides for their wireless service is not PCI compliant. This comes from an industry giant in the manufacture of POS (point of sale) equipment in what they called “An Open Letter to the Industry and Consumers.” In the letter they state that the mobile MSR (magnetic stripe reader) provided complimentary by Square, does not meet PCI DSS (payment card industry data security standard) requirements for devices that transmit over an open public network like the mobile broadband network.
The reason it is not compliant because it does not meet the data encryption standard required by the PCI SSC (payment card industry security standards council) which is populated by IT security and network management professionals, in addition to credit card processing industry professionals. PCI DSS requirement 4 says: Encrypt transmission of cardholder data across open public networks. The Square Up device does not use encryption and decryption software and, according to the POS equipment manufacturer: “In less than an hour, any reasonably skilled programmer can write an application that will “skim” or steal a consumer’s financial and personal information right off the card utilizing an easily obtained Square MSR. How do we know? We did it. Tested on sample Square card readers with our own personal credit cards, we wrote an application in less than an hour that did exactly this.”
More to follow on next week’s blog. If your business isn’t PCI compliant yet, you are doing yourself a disservice. See our home page for information on how your business can be PCI compliant for free!
I recently was reading a blog by an employee of one of the largest payment processors in the United States. He said that he hears lots of complaints about the burden of PCI compliance. He says, like I do, that a major reason people are so opposed to becoming PCI compliant is because they simply do not understand the benefits and protections the PCI DSS (payment card industry data security standard) affords a business. He says that in the many post-data breach interviews he has conducted, that every victim inevitably states that he or she wishes someone had sat them down and really explained the significance and necessity of PCI compliance. Most people think it’s just some new time-wasting contrivance of an industry already resented for its profitability and autonomy (though recent government regulation has compelled some pricing controls) and ultimately unnecessary. Some other reservations of merchants recalled by this other industry blogger were that they believed PCI compliance to be a new form of taxation, or that service providers were just getting greedy.
I found it ironic that the blogger, who is employed by a huge payment settlement entity, he has to pass a blind eye over the real elephant in the room. More than the time required to become PCI compliant, more than the anxiety stemming from the strangeness and novelty of the requirement, people don’t like PCI compliance because of the monetary expense of being PCI compliant. That’s why it’s misconstrued as a form of taxation and or just the industry being greedy. Neatly avoiding that glaring issue all together, the article goes on to explain the benefits of PCI compliance, which anyone who reads this blog should know by now.
If your problem all along regarding the PCI DSS is the cost of becoming PCI compliant that your service provider is hitting you with on a monthly or yearly basis, you have come to the right place. See our home page for details on how to get your business PCI compliant, absolutely free!
Is your business PCI compliant? It is? That’s great, but now that you’ve completed an SAQ (self assessment questionnaire) and registered with your service provider, it’s not time to rest on your laurels come what may. The PCI DSS (payment card industry data security standard) is a set of goals and procedures that the industry requires all merchants to follow, but filling out an SAQ and validating your compliance doesn’t make your business, computer network or customers’ information totally secure. Only you and your employees can actually take an active role in the protection of your sensitive authentication data and the identification and containment of threats. It’s a tool to use when going about the task of securing the integrity of your network and company or customer information, a foundation from which you can more efficiently and effectively maintain a high level of data protection.
But even the most finely crafted of tools is useless without an operator skilled in its uses. The same is true of the PCI DSS as it is of any tool and must be regularly monitored, maintained and updated as needed to be truly PCI Compliant, in both letter and spirit. It is analogous to the current battle being waged between medical science and lethal bacteria, medical science being just an antibiotic step or two ahead of the most deadly bacteria. The same is true with regard to computer security technology versus computer hacking technology.
Just doing the bare minimum that the PCI DSS requires for becoming PCI compliant may ward off the fines charged by the industry for having an expired PCI compliance validation, but true compliance goes beyond just the letter of the law. The sprit in which the PCI DSS was generated, and that of its predecessor, the CISP (customer information security program) started by Visa is that of an involved and ongoing commitment to sensitive authentication data security. If everyone is concerned with having the best defenses in place and the protection of their customers’ cardholder data, it not only benefits the individual, but the integrity of the entire payments system.
If you’ve hesitated for some reason before, now is the time to get your business PCI compliant. See our homepage for information on how to do it absolutely free.
For the last few weeks we’ve been covering the highlights of an international data security report published by one of the industry’s leading QSA’s (qualified security assessor) in an effort to better understand what works and what doesn’t with regard to computer network protection. Some final findings of the report make it clear that in addition to following the requirements of the PCI DSS (payment card industry data security standard) there is still a need for that human touch and reasoning.
One unanticipated finding was that percentage of business owners or employees that were able to detect a security breach on their own was a discouraging sixteen percent. The remaining eighty four percent only found out that they had been compromised when they were informed of the breach by an outside source. Whether alerted by a consumer, local or federal law enforcement, or industry regulators, an analysis of those types of cases found that the average time between the data compromise and its detection and containment was over one hundred and seventy days! The amount of time the thieves had to exploit or sell the stolen information is staggering. I imagine that long before that timeframe has passed, they’re long done wringing what they can from that poor soul’s account.
This statistic, to me, is the most telling about the general attitudes of business owners and their employees towards the seriousness of PCI compliance. People out there still think that once they fill in some form answering a bunch of questions that don’t mean a whole lot them, that they’re done with their efforts to make their customers’ data safe. Fortunately law enforcement’s detection abilities have improved over five hundred percent in the last year. The authorities are taking PCI compliance seriously and so should you. The increased effectiveness of the police and Secret Service (a branch of the treasury department that investigates financial crime) is a testament to system-wide adaptation and anticipation of the growing threat. They have clearly gone above and beyond what is merely the standard they are required to meet. Take PCI compliance seriously, please. You only risk catastrophe by not becoming PCI compliant. Know that you can, easily, now, for free. See our homepage.
Last week on the blog we highlighted the types of businesses, namely food and beverage services (e.g. restaurants) that are the most frequent victims of cyber-crime. Becoming PCI compliant and maintaining your PCI compliance is the easiest, fastest and most complete way to protect your customers’ sensitive authentication data, and by extension, your business’s proprietary data. Though restaurants and other aspects of the food and beverage service industries are the most often attacked by hackers, some other business types and formats have also been observed to have a higher incidence of data breaches. We’re not saying get out of the business you’re in if you are at higher risk, just be aware that the hackers out there view your business as a higher value target.
A major industry QSA (a.k.a. qualified security assessor) published a report this year that was compiled from a series of investigations and vulnerability tests throughout the year 2011. Chain stores and franchises exhibit a particular characteristic attractive to data hackers. These types of businesses tend to use the same IT systems in all of their locations for the easy implementation inherent to conformity. It’s not a stretch to now realize that if a hacker circumvents one location’s network security, it stands to reason that they can overcome other locations as well. In 2011 over 30% of all data breach investigations according to the QSA and they predict that percentage will rise this year.
Among the findings in the report it was noted that businesses are far too lax with regard to their password requirements. In an analysis of over two million passwords used by businesses they found the most common to be Password1 as this meets standard default password requirements of at least one capital letter, at least one lower case letter, and at least one number. To add a new dimension of complexity and an exponential number of possible password combinations, have your IT systems administrator require a symbol or non-letter/non-number character.
One of the most interesting discoveries of the QSA’s report is there is actually a specific hour of the day that is the most risky. If you are one of those who tend to open emails immediately when they’re received (unlike me who lets them pile up) then know that the most common time for an email sent with a malicious attachment is between 8:00 a.m. and 9:00 a.m.
Is your business PCI compliant? If not it’s time to ask yourself why. Network and data security is becoming more integral to our lives every day, especially in business. Visit our home page today to find out how your business can be PCI compliant and maintain its PCI compliance at no cost to you.
We’ve been talking on the blog here about a comprehensive report of industry fraud compiled over the last year by one of the top QSAs (qualified security assessor) in the business. Some of their key points may enlighten you. Keep in mind that your best defense and preparation for the possibility of sensitive personal or authentication data being stolen is to be PCI compliant. The PCI DSS (payment card industry data security standard) is a list of goals and procedures that, when followed vigorously, inures your business against vulnerability of a data breach.
One interesting piece of data is indicates that hackers still often target electronically stored customer records. In fact of the breached data investigated while researching for the report, 89 percent of the data was customer records. Theft of intellectual property and trade secrets trailed customer records at only six percent. However, sophisticated and coordinated attacks bent on retrieving this type of data are increasing in frequency and rate of success. The QSA also says that its own investigation frequency has risen by 42 percent than the previous year. This included over 300 investigations involving breached data and spread over 18 countries around the world. The increased frequency of investigations follows an increased rate of cyber theft attacks, which are becoming more effective, as well as a rise in fraudulent activity in the Pacific Rim.
Unfortunately, for the second year running, the food and beverage industry claims the top spot for cyber-thief quarry. In 2011 this industry accounted for almost 44 percent of data breaches investigated by the QSA.
If you own a restaurant that takes credit cards and you are not currently PCI compliant, you are tempting fate. Just because you think you’re too small to attract notice doesn’t make you any less likely to be the victim of a data breach. If you are found to be PCI compliant at the time of a data breach, the industry affords certain protections and assurances and most processors include a modest amount of breach coverage. But again that is only if you are PCI compliant. If you are not PCI compliant, you’re on your own when it comes to the legal fees, industry fines and other liabilities that will sum up to a hefty bill that will most likely put you out of business…permanently. See our homepage to find out how your business can certify its PCI compliance today, absolutely free.
One of the leading providers of PCI compliance solutions and information security published a report analyzing a sampling of research, merchant feedback and investigations over the last year. The findings of the report are based on over two thousand infiltration tests and over three hundred investigations of data breaches. The tests and investigations were performed by the QSA’s (qualified security assessor) internal advanced research and development security team. Their investigations and tests highlighted application security testing, forensics and hacking vulnerability.
The report showed that the food and beverage (restaurant) industry is still the top target for cyber theft for the second year in a row. In addition the 2011 investigations revealed that more than a third of the compromised accounts were franchise businesses. Researchers suggest that businesses that are modeled as franchises will be at the highest risk of a data breach in 2012. On top of all this the report illuminates some surprises regarding the most common passwords used by businesses around the world and what time of day is the highest risk times of day to open an email.
Many in the industry consider this report to be the most comprehensive on cybercrime, data breach trends, developing or new security threats and on best security practices recommendations. Making sure your business is operating in accordance with the PCI DSS (payment card industry data security standard) is your best basic defense against a data breach. If your business accepts credit cards or handles sensitive authentication data from customers, you are required to be PCI compliant. It is your responsibility to protect your customers’ data by following the goals set forth in the PCI DSS version 2.0. If your customers’ personal or financial data is stolen, you are liable for any fraudulent activity perpetrated on the compromised accounts. Only if you are PCI compliant at the time of the breach will you be afforded certain protections as well as, in some cases, tens of thousands of dollars in breach coverage.
Next week we’ll cover some more of the interesting findings of this report. See our home page to find out how your business can obtain its vital PCI compliance at absolutely no cost to you.
Last week we covered two of the four self-assessment questionnaires (SAQ) required by the card associations for PCI compliance. The two SAQ types mentioned last week are the most complex and longest of the four. These questionnaires contain many technical terms in reference to security and virus protection software. They also review local area network (LAN) settings, firewall protections and connected or shared access points. Unless you are highly computer literate, most businesses have personnel dedicated to internet technology (IT) support. Your IT support staff will be best suited to complete the network security portion of these questionnaires.
Remember that SAQ type C is required if you transmit data over an open public network such as the internet or cellular signals, whether or not you store cardholder or other sensitive or personal data in an electronic format. SAQ type D is required if you store cardholder or other sensitive or personal data in an electronic format, regardless of your method of processing.
The other two types, SAQ A and SAQ B should be used if your credit card processing is done via a stand-alone dial-up credit card terminal that is not connected to any other office system or network. You may qualify to complete SAQ type A if you only call an automated voice authorization service from any regular phone. This type of processing uses no equipment beyond the merchant’s phone, and there are no electronic records or hard copy electronic printouts.
The majority of small to medium sized businesses that have no business or legal need to store cardholder data electronically and use a traditional electronic credit card processing terminal are eligible to use SAQ type B for validating their PCI compliance. Please see our homepage for information on which SAQ is right for you. If your business accepts credit cards, you are required to be PCI compliant. Your business can validate its compliance for free on our home page.