The Retail Management Advisors, Inc. logo

CREDIT CARD SECURITY

We want to extend our personal thanks to Tim Smyth, President of Smyth Retail (smythretail.com)  for allowing us to provide you this excerpt from a newsletter they have sent to their clients. The following is good information and it should be read and acted upon.

Effective July 1, 2010 no processor will be able to process credit cards from a system that is not certified as compliant! Also, if your system is deemed vulnerable the PCI DSC will decertify it by October 1, 2009.

The Payment Card Industry Data Security Council (PCI DSC) is making rule changes to help reduce the cost of credit card fraud (and indirectly your card processing costs). They are requiring that all companies involved in card processing properly provide solutions that enable retailers to better protect themselves from fraud through a formal certification process. The PCI DSC requirements imposed on products and systems will significantly increase the protection of retailers from such loses and, at least for now, protect them from expensive direct compliance requirements. I believe the requirements the PCI DSC is imposing on software systems foreshadow what I expect to be increased regulations that will ultimately be imposed on retailers who want (and need) to process credit cards.

We have all heard the horror stories of retailers whose customers’ credit card information has been compromised by hackers and thieves. It should send chills up your spine to think of the damage to your reputation if your customers’ credit card numbers are stolen, and that doesn’t even consider the business threatening lawsuits that would be sure to follow (even if you are diligent in protecting your customers’ data). When it comes to bankcard processing, the most important thing for you to understand is that you, the retailer, will be held accountable for any direct losses if your customers’ credit cards are stolen and the resulting penalties and fees could easily destroy your business. Furthermore, if a breach occurs you will be subject to hefty fines, forensic audit costs, and recertification costs. Your liability is not just for the loss of your credit card sales but for the sum total of the credit limits of all cards you are processing (or more directly have on your system at the time an encroachment is detected)!

While credit card security is important for any retailer processing bankcards through Point of Sale, the security risk involves any retailer who maintains any credit card information anywhere on a computer: be it any sort of electronic list, email, Microsoft Word© document or any customer profile. Technically, you are even responsible for security breaches on your computer if your own credit card number is on your computer! And as long as we are at it, you need to remember that there are other types of confidential information anyone might store on a computer that represent liability risk such as Social Security Numbers, Drivers License numbers, and of course all the passwords used to secure not only these but your own financial information.  Even if the principals of a business are personally careful and diligent with security they are also responsible for the actions of their entire staff. If you carry any kind of Accounts Receivable, Store Credits, Gift Certificates, Gift Cards (remember that Target had their Gift Cards hacked), etc. you have additional personal security risks. Forgetting even malicious attacks on sensitive information, the cost of viruses and data corruption in time and direct costs alone is frustrating and expensive enough to warrant improved system security. It is safe to assume that everyone has a need for improved computer security!

If you really want to protect yourself from legal liability (and you should), you are going to have to invest at least time, and in some cases money, to better protect yourself from these thieves and the associated liability in the event your data is compromised. You are already responsible for performing an internal annual security audit which I’ll bet you aren’t performing. Any measure you take now will help you protect your liability, and more importantly even the possibility of having your customers’ confidential data being compromised. It is important to understand that security is not a one time or annual consideration; it must be an ongoing effort.  The bottom line is that you could, at great cost, do everything humanly possible to secure your business, and even if you had the resources of the National Security Administration you could still get hacked tomorrow by some new method of the ingenious idiot and be held liable. As a small business person you have to keep in mind the risk-reward factor in security. We can’t afford the best money can buy, but we don’t need to. Hackers aren’t targeting the smaller retailers like they do big companies or the NSA; in fact, hackers are first and foremost looking for low hanging fruit.  If a tiger is chasing us we don’t have to be the fastest runner, we just need to be faster than the person running next to us! You can’t afford perfect protection but you can’t afford to ignore security.

Implementation Guide
While your service provider must make changes to your software to better secure your system, their efforts won’t help you if you don’t directly take action to implement the changes and other security policies and controls to protect yourself. One of the things your system provider should be providing as a requirement of the PCI DSC is a detailed “Implementation Guide” which will help you better understand how to best secure your system.

Some changes you will (or should) be seeing in the near future with your system are:

* Allow you to minimize the level of cardholder information retention
* Enhanced user authentication
* Enhanced Email and internet controls
* Enhanced encryption
* Added security for remote Log-Ins and System Support
* Lock down of Point of Sale to prevent unauthorized access to the internet
* Enhanced encryption of Credit Card information

PCI DSS requirements:
The following summarizes the 12 general requirements of the Payment Card Industry Data Security Standards (PCI DSS) and the important requirements involved for properly protecting your network. While at this time you do not need to formally complete and submit a questionnaire, these industry guidelines should be followed when developing your network security policy as they would be required for PCI DSS compliance if your system provider had not made the changes or if you were a larger retailer, and should be considered the benchmark for establishing your security policy to maximize your protection from fraud. You can find a document detailing each of these requirements at pcisecuritystandards.org.

* Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall.
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

* Protect Cardholder Data
Requirement 3: Protect stored cardholder data and purge old and unnecessary cards.
Requirement 4: Encrypt transmission of cardholder data across open, public networks.

* Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software or programs.
Requirement 6: Develop and maintain secure systems and applications

* Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data on a business need-to-know basis.
Requirement 8: Assign a unique ID to each person with computer access.
Requirement 9: Restrict physical access to cardholder data.

* Regularly Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data.
Requirement 11: Regularly test security systems and processes.

* Regularly Monitor Networks
Requirement 12: Maintain a policy that addresses information security for employees and contractors.

Summary
While these new standards sound alarming (and they should), and require your attention, they represent important security measures that all retailers should all be implementing. Even if you are not processing credit cards through your Point of Sale system, these issues concern you. Unless you do not accept or even use credit cards (and you all do), you are responsible for protecting cardholder information.  The costs of improving security are minimal compared to the risk associated with a security breach.

You need to implement sound security policies and work toward a fully compliant Security Policy. Not only is it in your self interest, I suspect that the PCI DSC will continue to make further demands to assure proper security is implemented. Of course the hope is that the changes they are imposing on all software suppliers and providers of credit card authorization services will reduce fraud and losses. What you must remember is that the wolves of the world are also taking advantage of new technologies.  If your store’s system has not been compromised, it is only a matter of time!

If you do not know if your software provider is doing all that needs to be done about this issue, NOW is the time to find out!

© THE RETAIL MANAGEMENT ADVISORS, INC.