GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?


Table of Contents

Lead Story

Security and the changing face of the POS

News

Industry Update

PayPal introduces dongle for smart phone payments

Good works make for good TV

Square deals

Retailers looking for larger role in POS mobile

TradeHill takes Dwolla to court

Features

Court affirms viability of merchant's direct claim against Visa

Eugene Rome and Liz Wang
Rome & Associates A.P.C.

Research Rundown

Mobile Payments Conference raises EMV questions

Meet The Expert: Justin Milmeister

ISOMetrics:
Payments industry 2012 salary guide

Selling Prepaid

Prepaid in brief

APPPA to tackle calling card complexities

Big challenge to comply with AML's 'Big Seven'

Views

Micropayments are no small matter

Patti Murphy
ProScribes Inc.

New developments in payments (and winemaking)

Brandes Elitch
CrossCheck Inc.

Education

Street SmartsSM:
A year of learning, writing, sharing

Bill Pirtle
C3ET Credit Card Consortia for Education & Training Inc.

Mining the digital gold rush

Dale S. Laszig
Castles Technology Co. Ltd.

Enhance your security protocols

Nicholas Cucci
Network Merchants Inc.

Pricing surprises: Don't let processors eat your lunch

Adam Atlas
Attorney at Law

Company Profile

2000Charge Inc.

New Products

An EMV/NFC ready POS terminal

Xion 2.5
First American Payment Systems L.P.

Mobilizing agents

CB Mobile Office
Merchant Warehouse

Inspiration

Big results from small talk

Miscellaneous

2012 events Calendar

Departments

Forum

Resource Guide

Datebook

A Bigger Thing

The Green Sheet Online Edition

March 26, 2012  •  Issue 12:03:02

previous next

Enhance your security protocols

By Nicholas Cucci

The protection of financial data linked to payment cards and online accounts has been increasingly scrutinized both by the financial industry and federal regulators. ISOs, merchant level salespeople (MLSs) and merchants must recognize that data breaches can happen to any organization. If you collect or store sensitive information, you are at risk. Understanding the Payment Card Industry (PCI) Data Security Standard (DSS) will help you avoid costly breaches and regulatory fines.

Notable breaches of 2011

Several large-scale data thefts occurred in 2011, alarming merchants and cardholders alike. Here are the incidents receiving the most attention.

Data breaches affect everyone, including acquiring banks, processors, ISOs, MLSs, value-added resellers, merchants and consumers.

PCI matters

The PCI DSS is extremely important to the industry. Why is PCI compliance so crucial? If you're a merchant or ISO who processes, stores or transmits card data, you must be compliant with the PCI DSS and applicable related standards. Failure to comply can result in serious consequences, including expensive fees from merchant banks and the loss of the ability to process credit cards. Remaining noncompliant can be devastating.

Merchants are responsible for finding service providers that are PCI DSS compliant. Service providers must offer their merchants safe and reliable solutions and maintain PCI compliance. Also, merchants must realize they are not simply partnering with compliant service providers. Businesses may be required to change the way they operate to become PCI compliant. Failure to do so, when necessary, can cost a company more fees and fines. Some notable requirements include maintaining:

The PCI standards are absolutely crucial in protecting consumers from theft by fraudsters. The PCI DSS limits access to cardholder data to minimize the risk of sensitive data being stolen. It focuses on protecting cardholder data, including how it is transmitted and stored.

Business owners who need to store cardholder information are obliged to protect that data. They must restrict access to cardholder data based on business needs, making sure that absolutely no one can access the data unless sufficient safeguards are in place. When cardholder data is stored, it must be encrypted and masked so that if someone does obtain unauthorized access, he or she will not be able to use the data without a decryption key, which unauthorized users should not possess.

Control measures are an important part of maintaining secure business practices. The human element is the hardest part to control. Access to sensitive data should be limited to people who have a business case for access. Not only should a limited number of people be able to access sensitive information, but also each person must have a unique ID to be able to view the information. The company also must maintain a full audit trail.

Maintaining a vulnerability-management program is also crucial. This is straightforward and involves keeping anti-virus software up to date and running frequent scans. Always making sure you have the latest software version and performing regular vulnerability scans will help maintain your network's security.

The first steps in becoming compliant with PCI are meeting the requirements just described. Following is a final overview of milestones for prioritizing PCI DSS compliance efforts, drawn from the PCI Security Standards Council's website, www.pcisecuritystandards.org.

  1. Remove sensitive authentication data and limit data retention.
  2. Protect perimeter, internal and wireless networks.
  3. Secure payment card applications.
  4. Monitor and control access to your systems.
  5. Protect stored cardholder data.
  6. Finalize remaining compliance efforts, and ensure all controls are in place.

Understanding how to implement and maintain secure systems according to the standards set by the PCI SSC is a solid first step toward securing your company's future.

Nicholas Cucci is the Director of Marketing for Network Merchants Inc., a graduate of Benedictine University and a licensed Certified Fraud Examiner. Cucci is also a member of the Advisory Board and Anti-Fraud Technology Committee for the Association of Certified Fraud Examiners. NMI builds e-commerce payment gateways for companies that want to process transactions online in real time anywhere in the world. Contact him at ncucci@nmi.com.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

USAePay | Impact Paysystems | Electronic Merchant Systems | Inovio | Board Studios, Inc.