GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?

Table of Contents

Lead Story

Data breaches, more than bad publicity


Industry Update

Insuring against compromise

Negotiating the economic currents

U.S. court trims AmEx's clause

ACH network gets more mobile


GS Advisory Board:
Challenge breeds opportunity - Part I

PCI Compliance for Dummies

Sumedh Thakar and Terry Ramos

Standing together against online fraud

And the nominations are

Selling Prepaid

Prepaid in brief

eCommLink refocuses, targets global remittance

Data breach leads to payroll card fraud

Event Innovation Inc.
Stored value - That's the ticket


Coming in from the cold at NEAA

Patti Murphy
The Takoma Group

The HMS odyssey

Ken Musante
Moneris Solutions Inc.


Street SmartsSM:
Rules by which to thrive, not dive

Jason Felts
Advanced Merchant Services Inc.

How to write right

Nancy Drexler
SignaPay Ltd.

Dead-on delegation

Vicki M. Daughdrill
Small Business Resources LLC

Keep an eye on the store

Adam Atlas
Attorney at Law

The lowdown on downloads

Dale S. Laszig
DSL Direct LLC

Company Profile

TransFirst Holdings Inc.

MicroBilt Corp.

New Products

Giving salons, spas the Midas touch

TouchSuite Salon POS
Company: Invenstar LLC

RDC, scanner tandem for small merchants

Jack Henry & Associates Inc.


Cut back without cutting out



Resource Guide


A Bigger Thing

The Green Sheet Online Edition

February 23, 2009  •  Issue 09:02:02

previous next

E-book Review:
PCI Compliance for Dummies

By Sumedh Thakar and Terry Ramos

Stealthy and anonymous, cyber thieves can wreak havoc on the commercial financial services sector. The beginning of e-book PCI Compliance for Dummies states that a cyber thief, not "a gun-toting thug," is the avatar of contemporary crime.

As evidence, coauthors Sumedh Thakar, PCI Solutions Manager for the IT asset security company Qualys, and Terry Ramos, Qualys Vice President, Strategic Alliances and Channel Development, cite security breaches at several U.S retailers in recent years in which millions of credit and debit card numbers were stolen. TJX Companies Inc., BJ's Wholesale Club Inc. and OfficeMax Inc. are just three of nine or more retailers that have been breached.

Yet, while huge breaches occurring at big corporations are sure to grab headlines, they are anomalies. Of all attacks on payment card systems, more than 80 percent target level 4 merchants - those who process less than 1 million transactions a year - of which there are about 6 million in the United States, according to the authors.

These are the retailers with whom PCI Compliance for Dummies seems primarily concerned. More than anything else, the reference to large-scale data swindling is a warning to smaller merchants that electronic payment security demands the highest vigilance; if leading corporations with top-flight security technology can be breached, imagine the vulnerability of a small retail shop with limited resources to devote to security.

Yet, the pressing importance of cyber security is far from universally recognized. According to the National Federation of Independent Business Guide to Data Security (as cited by the authors), 57 percent of merchants "don't see securing customer data as something that requires formal planning," and 61 percent "have never sought out information about how to properly handle and store customer information."


The book delves into technical examinations, both of the various ways data breaches happen and the different measures commonly undertaken to prevent them. At the book's core are explanations of the Payment Card Industry (PCI) Data Security Standard's (DSS) 12 requirements for guarding sensitive cardholder data.

The PCI DSS mandates businesses to implement such measures as firewall protection, cryptograms, anti-virus software and a system for tracking all access to cardholder information.

"The great thing about PCI requirements is that they provide an excellent checklist for protecting cardholder data," said the authors in their description of industry regulations. "The PCI Data Security Standard requirements are the same points you'd normally use for overall information and network security."

In addition to the technical details (written in layman's language), the book covers basic procedures that can be overlooked in the cyber world of retail security - for example, making sure paper records of data are either eliminated or, if kept, properly and securely stored.

According to the authors, some common forms of data breach aren't terribly sophisticated; password theft tops the list. Often merchants simply don't bother to change the default passwords on their software. Hackers get passwords through online search engines and gain instant access to rivers of data. (According to the book, every unit of a given software release has the same default password.)

While the volume of information in PCI Compliance for Dummies is a bit staggering, all of it makes clear to merchants the need for both the construction of a full-scale cyber fortress and its watchful upkeep.

Network maintenance should include tests on firewall and router configurations, regular updates of anti-virus software, daily reviews of computer security logs and the use of "vulnerability scanning products and services."

Most suggestions in the book are mandated by the PCI DSS; a vulnerability scan (with an Approved Scanning Vendor) can be used to fulfill certain PCI testing requirements. To ensure compliance with all 12 requirements, however, it is recommended that a Qualified Security Assessor be summoned for an on-site audit.

The stakes are decidedly high; without due diligence, a merchant risks seeing his or her business devastated by attackers armed not with guns, but simple pass codes.

To download this e-book, please visit

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | USAePay | Impact Paysystems | Board Studios