The Green Sheet Online Edition
July 23, 2007 • Issue 07:07:02
Data security sells
Online fraud resulting from card data breaches is a serious problem. Forrester Research estimates that data theft costs merchants about $90 to $305 per stolen record. Considering the increase in data compromises and their resultant business impact, merchants must carefully examine the rationale for storing credit card numbers internally.
As ISOs and merchant level salespeople (MLSs), you know merchants need to protect sensitive customer data.
Recent trends indicate many retailers outsource card data storage to third parties. This strategy minimizes the possibility that a security breach or data theft will damage their operations and reputations.
Also, the cost to keep computer systems secure can become too expensive and time-consuming for many companies. Herein lies the opportunity to understand merchant requirements and assess available security options.
The underlying goal is the same: to help your clients avoid creating liability. Act consultatively. And remember, the more card data your customers store internally, the greater will be the consequences of breaches.
Tips for suave sales
Following are five guidelines to assist your sales process and ensure that you suggest the best remote storage solution for each merchant.
1. Pinpoint the best possible providers
Recommend service providers and solutions that are certified compliant with the Payment Card Industry (PCI) Data Security Standard or Visa U.S.A.'s Payment Applications Best Practices (PABP).
PCI and PABP define the framework for creating an organization's information assurance standard, as well as provide specific technical guidance in key areas.
For a merchant to be considered PCI-compliant, any service providers that store, process or transmit account data on behalf of the merchant must also be compliant. Briefly, the 12 requirements of PCI are split into the following groupings:
- Build and maintain a secure network.
- Protect cardholder data.
- Maintain a vulnerability management program.
- Implement strong access control measures.
- Regularly monitor and test networks.
- Maintain an information security policy.
- Maintain a policy that addresses information security.
Merchants also need to understand their transaction processing volume because the certification/validation level is determined by total transaction volume. You can offer to work with merchants' acquirers; they determine the compliance validation levels for each merchant.
By suggesting that merchants use PCI-compliant solutions provided by security-centric companies, you will help merchants understand the importance of information assurance throughout the industry.
2. Emphasize secure data transfer
Counsel merchants to implement solutions that provide secure transfer of data from merchants to their service providers' remote PCI-certified data centers.
Commonly cited best practices include the following:
- Use of 128-bit secure sockets layer encryption to safeguard the transmission of transaction information
- Use of strong cryptographic ciphers like 3DES or the Advanced Encryption Standard to encrypt stored data
- Strong security during transport and storage of data to ensure that it is not susceptible to interception.
3. Offer multiple layers of security
Advocate solutions that offer multiple levels of authentication for accessing stored data. A robust solution should include at least three of the following methods:
- Strong user identification and password combinations
- Geo-locating techniques, including IP address
- Client-side certificates
- Virtual private network tokens.
The use of multifactor authentication helps ensure that processing of sensitive data is conducted by authorized parties only.
4. Suggest platform neutrality
Direct merchants to establish relationships with vendors offering platform-neutral software design. This
cost-effective measure ensures that solutions will work with any host system and lets merchants retain their business processes regardless of changes in operating systems or software application.
5. Tailor solutions to merchants
Understand merchants' current business processes, and recommend appropriate storage options. For example, merchants primarily in the Web-commerce arena will need systems with real-time card access and transaction processing capabilities.
However, if merchants support recurring invoice payments (such as health club memberships) they may need a blend of real-time and batch data processing/data transfer capabilities.
Often, companies doing repeat billing are vulnerable to security breaches because, historically, they needed bankcard data on hand. However, with the release of new information security and storage capabilities, you can now offer merchants supperior solutions.
Aaron Bills is Chief Operating Officer and co-founder of 3Delta Systems Inc. E-mail him at firstname.lastname@example.org or visit www.3dsi.com for more information on secure data storage solutions.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.