From time to time on this blog I attempt to encourage, persuade, cajole, manipulate and even frighten merchants and business owners processing credit cards to get their business PCI compliant before it’s too late. But as is often the case with esoteric and unfamiliar tasks, there is still a surprising number of merchants who still haven’t taken the time look into PCI compliance for their business. Part of the reluctance to get started may be that it seems too complicated or overwhelming. For a business owner whose computer literacy ends at knowing how to send an email or google a topic, all they’ve ever needed to know how to do, the language and questions in the PCI DSS (payment card industry data security standards) must seem particularly daunting.
What you may not know if you’ve been so put off by the technical jargon is that not every merchant has to complete the same SAQ (self assessment questionnaire) for PCI compliance. There are four versions of the PCI DSS to accommodate the variety of processing methods and processing environments that differ from one business to another. The four SAQ versions are designated A, B, C, and D followed by the version number. The old 1.2 version is not valid after January 1st 2012 and any new SAQ submitted after that date must be version 2.0.
SAQ type D is the most comprehensive of the assessments and is required for all merchants processing via ecommerce or other public network and if the merchant stores sensitive authentication data in electronic format.
SAQ type C is shorter and is required for all merchants processing via a public network or whose processing system communicates via an internet protocol connection.
For more detailed information about which SAQ is right for you, see our homepage. If your business processes credit cards and is not yet or needs to re-validate PCI compliance, we can show you how to do it for free.
Being PCI compliant means following the guidelines set forth in the latest version of the PCI DSS (payment card industry data security standard) and if compliant at the time of a data breach, most processors and QSA’s (qualified security assessors) include coverage against the financial loss from the fines and legal fees associated with a data breach. But it isn’t simply a matter of following the guidelines by rote and expecting that no harm can come to you or your business. Computer and network security is a constantly evolving, moving target that must be continuously adapted and updated.
No security system is completely infallible due to a constantly changing computer security technology landscape, the continual invention of new products and methods, and good old human error. That being said, the goal for PCI compliance shouldn’t be absolute perfection, but significant progress, year after year, until fraud liability is at its lowest possible level. What was secure against outside access today may suddenly not be so tomorrow as criminal innovation continues to find new paths to circumvent even the tightest security systems.
For this reason, the PCI DSS and the requirements to achieve PCI compliance have a programmed life cycle of about three years. This way, the PCI SSC (payment card industry security standards council) is able, over time, to gather data and feedback from merchants, processors and financial services providers regarding which PCI compliance guidelines work and which don’t, as well as what items need to be enhanced or modified. In addition to the information provided by end users of the PCI DSS, it also allows time for other technological advancements and their impact on sensitive authentication data storage and transmission to be incorporated into the guidelines.
We’ll try to touch on this a little more next week. If your business is not currently PCI compliant, you are placing your livelihood at risk, as well as your customers’ information. See our home page to find out how your business can be PCI compliant today. Best of all, it’s absolutely free!
Just when you thought it was safe to start processing again, we discovered a new area of vulnerability that should be of concern to long time bankcard processors and merchants. Namely the security of your stored legacy data that may include old credit card numbers and expiration dates as well as other sensitive authentication data. For large companies that have massive stores of customer data, much of the non-PCI compliant data may predate the PCI compliance requirement by several years.
This sensitive data is often overlooked by the merchants and processors storing the data since the PCI compliance requirements are such a relatively recent security requirement. If you have customer data that was stored prior to January 1st 2008 (after which, of course, everything moving forward meets current PCI compliance standards) it could be a data compromise liability waiting to happen. You can count on thieves and hackers exploiting this oft overlooked area of stored data management. So despite the potentially daunting task of converting or purging stored data going back years, the risk of loss is too great.
One industry servicer reported that a common phenomenon of off-site stored data is the physical loss of said data in tape backup or other magnetic storage format. One such case involving a US retail credit management company revealed a recent discovery of missing back-up tape data. The lost data included over six hundred and fifty thousand credit card numbers from its 230 US retailers. In addition, the lost back-up tapes contained about one hundred and fifty thousand social security numbers belonging to cardholders.
Next week we’ll try to find out some tips for tacking the seemingly insurmountable task of rendering data that you must continue to store for business or legal purposes. See our home page for information on how you can make your business PCI compliant for absolutely nothing!
As we were saying last week, credit card fraud perpetrators insert phony refund or credit transactions into a merchant’s online processing service by defeating weak login credentials. The fake refunds are sent to a series of debit cards (linked to a checking account) where the thief or one of the thief’s associates withdraws the funds before the loss is noticed. Some hackers even inserted phony charge records to offset the refunds thus camouflaging their crime even further. The PCI DSS or payment card industry data security standards contain strong recommendations for logging management. Visa has recommended that acquirers, processors and merchants periodically review their credit transaction monitoring rules. This will increase the likelihood that unusual credits without offsetting sales will be detected early enough to prevent loss of revenue.
One goal I strive for in this blog is to constantly reinforce the facts about PCI compliance and also to dispel some of the myths floating around. Simply reading and robotically following the PCI DSS goals may not be enough. Maintaining your business’s PCI compliant status is a constant work in progress. Doing the bare minimum may not afford as complete protection as is possible for your business or your customers’ sensitive information. Some additional precautions may also be taken. These precautions include:
- Use strong authentication methods for online accounts to protect online credentials.
- Issue alerts to customers to be on the lookout for social engineering schemes such as phishing, voice phishing (also known as vishing) that seek to obtain online login credentials.
- Keep a lookout for unusual refund transactions, paying particular attention to those without an offsetting sale transaction or those where the sale account number doesn’t match the refund number.
- Set exceptions or limits for refund transactions that mirror average sale amounts. Quarantine or hold for investigation any refund transaction amounts that exceed thresholds.
- Make sure credit or refund transactions correspond to a previously processed sale amount. Match the account numbers too and investigate mismatches.
- Require customers and merchants to immediately report any lost or stolen credit card equipment or computers hosting credit card processing software. Disable any terminal or software ID numbers and block any transactions from these terminals.
- Require customers and merchants to return or destroy old credit card processing equipment or software so that no proprietary information is compromised.
- For online web portal access, only allow trusted IP filtering connections
- If fraudulent credit or refund activity is detected, immediately report the suspicious transactions to the issuer of the account to which credits are routed. The issuer may be able to hold questionable transactions and assist with monitoring.
- Always report any suspected fraudulent activity to appropriate law enforcement and regulatory agencies.
More tips and other important PCI compliance information to follow next week. See our homepage to find out how to make sure your business is PCI compliant for free.
We talk a lot here about the small business owner and the importance of payment card industry data security standards (PCI DSS) even though they often don’t have large and complex database networks. Any merchant at any time may be targeted by a criminal bent on stealing and using or selling sensitive authentication data in their possession. But becoming PCI compliant doesn’t mean you can rest on your laurels. Maintaining you PCI compliance is an inexact science that has to be modified to conform to the needs of your particular business. Just doing the bare PCI compliance minimum to meet industry requirements, while certainly better than nothing, doesn’t mean you don’t have to remain vigilant.
Those merchants that do high credit card processing volume on a large scale typically have no choice but to use networked computer systems to facilitate the running of the business. A rule of thumb with regard to system integrity is that the most complex are by nature also the most unstable. Products or services available on the internet that offer customers the convenience of paying by credit card are commonplace these days, and provide a vast hunting ground for computer criminals. Lately industry partners have noted the rise of a classic fraud method in which the hacker takes advantage of weak online sign in credentials to access accounts and perform fraudulent credit card transactions.
A few cases recently reported indicate that cyber thieves use phishing and other fraud techniques to search for merchants with weak authentication requirements and get access to their online accounts for their processing service. After the merchants’ login credentials and passwords were compromised, the thieves send fraudulent credit (refund) transactions to debit (a.k.a. check cards which are connected to the cardholder’s checking account balance) cards setup by criminal cohorts. The amounts were commonly in the thousands of dollars per transaction.
To the merchant, these credit transactions appear as refunds to customers’ cards, rendering them more difficult to detect or delaying their detection. Next week, more on this and some tips to reduce your exposure. See our homepage for information about how your business can be PCI compliant. Best of all, it’s free!
I know if you read this blog regularly that I harp on this particular subject with frequency. This is not the result of recurring writer’s block or a lack of new materials to write about. It is simply that no matter how often I write about this, I continue to hear small business owners still on the same script they were on when the PCI DSS (Payment Card Industry Data Security Standard) first became an industry requirement. We’re going on four years here now with little to no change in attitudes towards PCI Compliance. Even the common misconceptions about the PCI DSS remain virtually unchanged. So I can only conclude that I haven’t written enough about the reality of cyber theft and the threat it poses to small merchants in particular.
Merchants tend to typically underestimate the risk of being breached because the only time you hear about a data breach on the news is when a large company is the victim. Small business owners are particularly susceptible to this error in perception thinking that, since they rarely if ever hear of a small business being hacked, then the incidence of small business breaches must be rare as well. They also tend to suppose that hackers only scope out national or international businesses with high revenues and large customer bases. In actuality, this is a gross error in judgment, the opposite of which is true.
An assistant director for the FBI’s Cyber-crime Division was quoted recently, speaking of how prolific and wide-spread credit card data theft is, despite the lack of regular news stories about it. The FBI agent said that there are innumerable high dollar thefts that don’t make the news. Now reader, please, pay close attention to this next part. The reason hackers are gravitating towards small businesses is that over the past decade, the huge merchants and financial institutions have been actively working towards creating the least vulnerable computer networks money can buy, and it is paying off. While the hackers and the cyber security software engineers are in a constant battle of technology development, constantly responding to each others’ innovations with more innovation, the big national companies have attained a state of perpetual high computer network security. This leads the hacker in search of a target to pass on the daunting task of penetrating the most advanced computer security systems on the planet, and poach on some of the smaller and infinitely more vulnerable small business owner.
Don’t wait any longer, make your business PCI Compliant today. Visit our homepage to find out how you can attain PCI compliance for your business, absolutely free!
If you read last week’s blog then you know that there is a new version of the PCI DSS (payment card industry data security standard) SAQ (self-assessment questionnaire) version 2.0. You should also know that there are some decisions to be made for merchants processing using an IP connected device. Some of the changes for firewall protection and other security concerns will be more significant for these merchants.
Changes will include clarifications on: the applicability of card holder data and PCI DSS; scoping and locations for card holder data environments; virtualization recommendations; boundaries between card holder data environments and the internet and more on DMZs; key management process changes; consolidating secure coding; moving, copying and storing card holder data; and when addressing data security vulnerable areas assuming a risk based approach.
There are not as many changes to the PA DSS (payment application data security standard) but the changes have a greater impact. There is new guidance on remote update and access to payment applications as well as for end user terminals running payment applications. To bring the PA DSS requirement 4.4 into full alignment with PCI requirement 10.5.3, it now specifies that payment applications must support centralized logging.
This is the most significant change to the PA DSS and for payment application vendors, this will require the provision of detailed logs. The PA DSS requirements give further details as to the parameters to be met. For merchants using payment applications, the PCI DSS requirement that corresponds with the PA DSS states that the log outputs have to be centrally collected and managed. Incorporating log management products will be essential to achieve PCI compliance.
Remember, PCI compliance isn’t just for the protection of your business, but the protection of your customers and ultimately the integrity of the electronic payments industry as a whole. See our home page for information on how to register your business PCI compliant for free!
Obtaining your PCI compliance and maintaining your PCI compliance should now be a standard part of your business security plan. Just like seatbelts and locks for your automobile, you have to protect your credit card processing service and your customers who use credit cards. All merchants will be required to update their PCI compliance SAQ (self-assessment questionnaire) to the new version 2.0. This new version has been updated to keep pace with the dynamic evolution of fraud perpetrating technologies and software products.
For many merchants, it won’t be much of a stretch and only minor changes have been made. For SAQ B (used for non-IP connected authorization equipment that does NOT store cardholder data) the changes include some fleshed out explanations of the requirement goals and 3 additional questions regarding your data protection methods. If you’ve been PCI compliant from the start, the transition from SAQ B V1.2 to SAQ B V2.0 should be simple as long as you haven’t changed from using a stand-alone dial up terminal that settles daily.
For merchants who use IP communicating devices or an internet connection, there will be more changes and protection methods to update and employ on your network. As a merchant processing credit cards, it is imperative that you protect your cardholders’ data, both when stored and when in transit. SAQ C V2.0 and SAQ D V2.0 will need to be carefully reviewed and all new firewall protection and software updates or patches implemented. To be PCI compliant, these merchants will at a minimum need:
- A firewall intrusion prevention system
- A vulnerability scanner for quarterly scanning
- A database activity monitoring system or application monitoring system to protect and monitor log in access history to stored sensitive authentication data
- For audit purposes, a log management for secure storage of all logs
- Some type of security information and event management software
There are some decisions to be made as to how you will approach the new requirements that we’ll touch on next week. See our homepage for more information & instructions on how to make your business PCI compliant today, for free!
If you are a merchant running a business that accepts credit cards, by now you have at least heard of the payment card industry data security standard or PCI DSS. If your business isn’t PCI compliant then you and your customers are at greater risk than they should be. If your business isn’t PCI compliant by now, you are also about 3 years behind the times. PCI compliance became a mandatory requirement at the beginning of 2009 and merchants can be fined by the payment card industry security standards council up to $25 per month, every month until PCI compliance is achieved. The potential industry fines however, pale in comparison to the immediate and collateral damage that accompanies a breach of sensitive authentication data. Following a data breach the merchant is responsible for all loss of revenue due to fraud on the stolen data (though this may not come to light for some time), not to mention the cost of breach containment, the required investigation(s) and of course, plenty of legal fees. Oh, and did I mention the permanent loss of angry customers, and their friends? Even if you survive the onslaught of fines and fees, can your business recoup its reputation?
Does any of this sound scary? Think it can’t happen to you? While it’s true that the data breaches you hear about are giant banks and financial institutions, attractive to thieves for the sheer volume of money to be stolen, small businesses are fast becoming a favorite target of the common hacker. Why, you ask? Precisely because so many small merchants believe their business to be beneath notice and therefore don’t bother with PCI compliance, or any other data security measures beyond a deadbolt on the front door. Problem is, these data thieves don’t need to get in your door to rob you (and your customers) blind. They do it remotely from the comfort of their own homes.
Regardless of your current PCI compliance status however, there is a new version of the self assessment questionnaire as of January 1st, 2012: SAQ version 2.0. Make sure you use this version for any initial PCI compliance validation or renewal of current PCI compliance validation. If you completed the old version, SAQ version 1.2, any date in 2011, your compliance is considered valid until its expiration, usually one year from the completion date. Most processors include some level of monetary reimbursement or breach coverage, provided the merchant had a valid PCI Compliance registration at the time of the breach, that can be applied to certain fines or legal fees the merchant will incur. This site can show you how to easily and correctly get your business PCI Compliant, and best of all, it’s free!
The PCI DSS requires that you, the merchant, be responsible for the protection of your customers’ personal information. Encryption is a process by which plain text information is encoded by an algorithmic equation into an unreadable format. It can only be translated back, or decrypted, into plain text by using the proper “decryption key” known only to the merchant and their processor. Merchants and processors should be using an industry approved and lab certified encryption algorithm.
Encryption of sensitive authentication data is essential for becoming PCI compliant and for maintaining PCI compliance. It is so important for any transmitted or stored data be encrypted, that it may be the single most effective protection you have against loss of data from theft. Any data that is stored or transmitted must be encrypted at the moment of data capture for airtight protection. Data that should be encrypted includes (but is not limited to): the cardholder’s PAN (primary account number) a.k.a. the card number, and any other magnetic stripe data on all tracks. When data is encrypted immediately upon receipt, prior to storing or transmitting, we call that “end to end encryption.” This prevents information from being stored or transmitted in plain text where it might be vulnerable to interception by computer hackers. If encrypted information is gleaned from a transmission, or stolen from a database, it is useless to the hacker.
The unfortunate reality is that, as of yet, no encryption algorithm is infallible. But properly employed, only the most knowledgeable and experienced thieves possess the tools and know-how to circumvent the algorithm and break the encryption. Proper key management will also limit the amount of information a broken encryption a thief can translate. The PCI DSS stipulates that all encryption keys should be review and updated every six months at a minimum. Reviewing and updating encryption keys more frequently than that lends additional protection. Since more frequent key code updates shrink the set of information that key allowed access to, you can control how much information each key will decrypt.
For more on this and other techniques for protecting your customers and, in doing so, yourself, go to our home page and find out how to become PCI compliant. Following the requirements set forth in the PCI DSS and maintaining your PCI compliance is your best protection against data loss due to theft. This site will show you how to become PCI compliant for free.