The Green Sheet Online Edition
March 26, 2012 • Issue 12:03:02
Enhance your security protocols
The protection of financial data linked to payment cards and online accounts has been increasingly scrutinized both by the financial industry and federal regulators. ISOs, merchant level salespeople (MLSs) and merchants must recognize that data breaches can happen to any organization. If you collect or store sensitive information, you are at risk. Understanding the Payment Card Industry (PCI) Data Security Standard (DSS) will help you avoid costly breaches and regulatory fines.
Notable breaches of 2011
Several large-scale data thefts occurred in 2011, alarming merchants and cardholders alike. Here are the incidents receiving the most attention.
- In a high-profile intrusion of a Sony Corp. website, the names, addresses, payment card numbers and billing histories of over 100 million users were compromised.
- The Texas Comptroller's office discovered it had left personal records on a publicly accessible server for over a year. These records included names, addresses, Social Security numbers and, in some cases, driver's license numbers. The office faces a $3.5 billion lawsuit, or about $1,000 per individual whose privacy may have been violated.
- The New York Yankees suffered a data loss when an employee mistakenly emailed to 2,000 fans an Excel spreadsheet containing the names, addresses, phone numbers and email addresses of 21,466 season ticket holders.
- Michaels Stores Inc. suffered a PIN pad tampering scheme at more than 80 stores. This compromised payment cards, with over 100 customers reporting that their bank accounts were emptied.
- Fox Entertainment Group's servers were breached, compromising names, emails, passwords and phone numbers of thousands of potential contestants on The X-Factor television series.
Data breaches affect everyone, including acquiring banks, processors, ISOs, MLSs, value-added resellers, merchants and consumers.
The PCI DSS is extremely important to the industry. Why is PCI compliance so crucial? If you're a merchant or ISO who processes, stores or transmits card data, you must be compliant with the PCI DSS and applicable related standards. Failure to comply can result in serious consequences, including expensive fees from merchant banks and the loss of the ability to process credit cards. Remaining noncompliant can be devastating.
Merchants are responsible for finding service providers that are PCI DSS compliant. Service providers must offer their merchants safe and reliable solutions and maintain PCI compliance. Also, merchants must realize they are not simply partnering with compliant service providers. Businesses may be required to change the way they operate to become PCI compliant. Failure to do so, when necessary, can cost a company more fees and fines. Some notable requirements include maintaining:
- Data retention and disposal policies
- Anti-virus policies and procedures
- Password management rules
- Changes to management guidelines
The PCI standards are absolutely crucial in protecting consumers from theft by fraudsters. The PCI DSS limits access to cardholder data to minimize the risk of sensitive data being stolen. It focuses on protecting cardholder data, including how it is transmitted and stored.
Business owners who need to store cardholder information are obliged to protect that data. They must restrict access to cardholder data based on business needs, making sure that absolutely no one can access the data unless sufficient safeguards are in place. When cardholder data is stored, it must be encrypted and masked so that if someone does obtain unauthorized access, he or she will not be able to use the data without a decryption key, which unauthorized users should not possess.
Control measures are an important part of maintaining secure business practices. The human element is the hardest part to control. Access to sensitive data should be limited to people who have a business case for access. Not only should a limited number of people be able to access sensitive information, but also each person must have a unique ID to be able to view the information. The company also must maintain a full audit trail.
Maintaining a vulnerability-management program is also crucial. This is straightforward and involves keeping anti-virus software up to date and running frequent scans. Always making sure you have the latest software version and performing regular vulnerability scans will help maintain your network's security.
The first steps in becoming compliant with PCI are meeting the requirements just described. Following is a final overview of milestones for prioritizing PCI DSS compliance efforts, drawn from the PCI Security Standards Council's website, www.pcisecuritystandards.org.
- Remove sensitive authentication data and limit data retention.
- Protect perimeter, internal and wireless networks.
- Secure payment card applications.
- Monitor and control access to your systems.
- Protect stored cardholder data.
- Finalize remaining compliance efforts, and ensure all controls are in place.
Understanding how to implement and maintain secure systems according to the standards set by the PCI SSC is a solid first step toward securing your company's future.
Nicholas Cucci is the Director of Marketing for Network Merchants Inc., a graduate of Benedictine University and a licensed Certified Fraud Examiner. Cucci is also a member of the Advisory Board and Anti-Fraud Technology Committee for the Association of Certified Fraud Examiners. NMI builds e-commerce payment gateways for companies that want to process transactions online in real time anywhere in the world. Contact him at firstname.lastname@example.org.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.