The Green Sheet Online Edition
March 10, 2014 • Issue 14:03:01
Help merchants sleep better at night
Owning a business is no walk in the park. From ordering product and managing inventory to hiring the right people to budgeting for advertising, facilities rental and maintenance, and employee compensation, business owners have a tremendous amount to address just to keep their doors open and remain competitive. It seems business owners' responsibilities are endless. Now, given the potential for data breaches and the compromise of customer information, running a business has become even harder.
According to Privacy Rights Clearinghouse data published in January 2014 at www.privacyrights.org/data-breach, over 600 million credit card records have been compromised in the United States since 2004 � all before the recent breaches at Target and Neiman Marcus. However, we tend to only hear about breaches of major brands that affect a larger population. What should equally concern us are the breaches we don't hear about. For example: the local restaurant whose POS system was compromised by malware; the local clothing store that processed cards via a high speed terminal only to learn a port was compromised; or the online merchant whose gateway transmitted data to a foreign IP address.
Security breaches are happening across the world and are negatively affecting companies' reputations and bottom lines. The Ponemon Institute's 2013 Cost of Data Breach Study: Global Analysis found that the business cost for a data breach in the United States is approximately $200 per compromised record.
EMV and PCI
What can business owners do to better protect themselves, and what can we, as their merchant services providers offer in this regard? The rallying cry over the past few years has been Europay/MasterCard/Visa (EMV), also known as chip-and-PIN. In essence, EMV makes card replication much more difficult than the current mag stripe.
However, EMV has several limitations. It doesn't address protecting card data when it is in route to the processor; protecting post-authorization storage of card data by the merchant; or protecting against card-not-present fraud. EMV offers certain benefits to business owners, but would EMV have prevented the Target and Neiman Marcus breaches?
Have you considered the role of the PCI Security Standards Council (PCI SSC) in protecting merchants from data breaches? In January 2014, the PCI SSC released Payment Card Industry (PCI) Data Security Standard (DSS) 3.0 aimed at heightening the security for our national payment-acceptance infrastructure. Disappointingly, PCI DSS 3.0 hardly addressed mobile processing, one of the fastest growing methods of payment acceptance. The update was needed and will be beneficial to all businesses. However, would PCI DSS 3.0 have prevented the most recent breaches?
Data security is getting complicated for payment professionals and business owners alike. What might help business owners sleep better at night? One technology moving to the forefront of our industry is point-to-point encryption (P2PE). Using P2PE offers three main benefits:
- A credit card transaction is encrypted as soon as it is swiped at the POS and remains encrypted throughout the merchant's environment. Therefore, even if a breach occurs within the merchant's network or environment, the stolen data would be encrypted, rendering it useless.
- When P2PE is employed, malware cannot be placed on a POS system. If any foreign application were to be placed on a POS system, the system would stop working immediately.
- Using a certified P2PE solution completely removes a merchant from the scope of PCI compliance, even eliminating the PCI DSS Self-Assessment Questionnaire requirement.
In "Make it a wonderful day," published in the Jan. 13, 2014, issue of The Green Sheet, I urged MLSs to provide value to merchants rather than sell on price. Helping merchants navigate through the uncertainty of PCI, while understanding the vulnerabilities and exposure brought on by accepting credit cards for payment, brings value and clarity to an otherwise murky subject.
So learn the pros and cons of EMV, PCI DSS 3.0 and P2PE. More importantly, perform due diligence on any product you want to sell. Not only will your knowledge help business owners feel more in control and protected, it will also help you build and grow your business.
Adam Moss is the Chief Operating Officer of Charge Card Systems Inc. He can be reached firstname.lastname@example.org or by phone at 888-505-2273. For additional information on CCS, please visit www.chargecardsystems.com/gsadvisoryboard�or the corporate website at www.chargecardsystems.com.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.