The Retail Management Advisors, Inc. logo

COMPUTER SECURITY - PCI COMPLIANCE

An optimistic outlook may be the simplest single explanation for data security breaches.  To often, management has the outlook of, "Yes, I know it happened to them, but it won't happen to us."  In a 2006 article for the Pittsburg Post Gazette, writer Sasha Romanosky wrote that "optimism bias encourages a state of denial" and those merchants who don't recognize that fact are putting their most vital information at risk.
 
Since data breaches continue to be an ever increasing problem, the PCI Security Standards Council, comprised of representatives from American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. International, have developed the PCI compliance standards comprised of principles and requirements to support those principles with the goal of helping ensure consistent data security measures on a global basis.

What is PCI compliance?
The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain a secure environment for that information.  Compliance is not a federal law.  Many states do have laws requiring some level of PCI compliance.  When considering requirements of PCI compliance, keep in mind having a lock on your front door is not a law . . . it's just common sense to protect what's yours. 

Who does PCI compliance effect?
PCI compliance affects anyone with a merchant id number without regard to the number of transactions or sales volume.  Some state laws do not compel Level 4 Merchants (those completing fewer than 20,000 transactions annually) to comply; however, more and more states require notifications to customers who may have been affected when a data breach occurs.  Think of the potential harm of this type of negative publicity not to mention the civil suits sure to follow.

Requirements of PCI
Stop and think about computer security.  If you are ordering postage stamps or office supplies on your computer, you expect those vendors to have a secure method to process your credit card number and accept and process your order.  It is only logical that you also need to have a secure environment (your store's computer system) to send that information to them.  The PCI requirements are not unusual and what many Americans already have in place at their homes for their leisure web-surfing and personal email.  It is just plain common sense like the lock on the door.

The core of the PCI DSS is a group of principles and accompanying requirements around which the specific elements of recommended security are organized. Those principles are:

Build and Maintain a Secure Network
* Install & maintain a firewall
* Do not use vendor supplied defaults for passwords and other security parameters.

Protect Cardholder Data
* Protect stored cardholder data
* Encrypt transmission of data.

Maintain a vulnerability management program
* Use and update anti-virus software
* Develop and maintain secure systems and applications

Implement Strong Access Control Measures
* Restrict access to cardholder data
* Assign a unique ID to each computer user
* Restrict physical access to cardholder data

Regularly Monitor and Test Networks
* Tract and monitor access to cardholder data
* Test system security regularly*

Maintain an Information Security Policy
* Maintain business policy to address security

* Finally, and few people actually know it, but PCI DSS does mandate an annual formal risk assessment, not just the list of controls to implement! The Requirement is 12.1.2.  Merchants need to check the requirements in their states and their contracts with their banks.

While this is a simplified version of the requirements, it comes down to a few simple and relatively inexpensive enhancements.

* Use a firewall and anti-virus software and keep it current.

* Set up individual user id's and passwords for everyone who has access to your computers.  Do NOT use default passwords.  Rule of thumb from a forensic technician: passwords should be at least 8 characters, at least 1 capital, 1 number and 1 symbol.  It need not be "p6*y3smw?" if that means nothing to you. "4maDame%" (for madam X) is fine.

* Do not keep credit card numbers (or employee social security numbers or any other private information) stored with public information in a computer's data base. Before you say, "We keep those numbers in another field and no one knows it's there and it's not labeled," here's an interesting report:  "About 600,000 [XX's] customers got a shock earlier this month when they received their annual tax documents with their Social Security numbers printed on the outside of the envelope. (dated February 24, 2010)"  This could have been avoided if the social security numbers had been in a completely different restricted file.  As it was, (note the past tense) during a routine mail merge a very costly mistake was made.

* Encrypt all transmissions of data and any private data stored on the computer system.  Do not keep what you do not need.

* Write down and maintain your policy for safeguarding private information, what information is collected and stored, how it's used, stored and destroyed.  Include who has access to the information and why.  Write it down.  This could help to save your business in a civil suit if it's written down and being followed as a part of routine business.

* Test your safeguards periodically.  Don't ask employees if they are following established security procedures, observe them. When major software updates occur or hardware is replaced, do a check and make sure everything is still secure.

Why should you comply?
The answer is not to avoid fines although there will be fines. However the negative consequences are so much greater than just fines.  Your store's contract with your bank probably has a clause in it that states that any fines from the card brand will be "passed through" to you, the merchant.  If you are both non-compliant and compromised, higher fines may be imposed.  At the discretion of the Card Brand, you may have your designation level raised from a level 4 to a level 3 or higher depending on the breach. Believe it or not, if compromised, this will be the least of your concerns.  Civil cases from someone looking for the "easy life" at the expense of another can be astronomical and happen every day. Don't take the chance and don't get caught in the trap.  Secure your data environment today!

Notes: This article is summarized from the massive amount of information at: pcisecuritystandards.org/security_standards/pci_dss.shtml

If you are interested in more information to help you plan what to do if you suffer a security breach, here is a lengthy and detailed manual assembled by VISA: usa.visa.com/download/merchants/cisp_what_to_do_if_compromised.pdf.

© THE RETAIL MANAGEMENT ADVISORS, INC.