CREDIT CARD SECURITY
We want to extend our personal thanks to Tim Smyth, President of Smyth Retail (smythretail.com) for allowing us to provide you this excerpt from a newsletter they have sent to their clients. The following is good information and it should be read and acted upon.
Effective July 1, 2010 no processor will be able to process credit cards from a system that is not certified as compliant! Also, if your system is deemed vulnerable the PCI DSC will decertify it by October 1, 2009.
The Payment Card Industry Data Security Council (PCI DSC) is making rule changes to help reduce the cost of credit card fraud (and indirectly your card processing costs). They are requiring that all companies involved in card processing properly provide solutions that enable retailers to better protect themselves from fraud through a formal certification process. The PCI DSC requirements imposed on products and systems will significantly increase the protection of retailers from such loses and, at least for now, protect them from expensive direct compliance requirements. I believe the requirements the PCI DSC is imposing on software systems foreshadow what I expect to be increased regulations that will ultimately be imposed on retailers who want (and need) to process credit cards.
We have all heard the horror stories of retailers whose customers’ credit card information has been compromised by hackers and thieves. It should send chills up your spine to think of the damage to your reputation if your customers’ credit card numbers are stolen, and that doesn’t even consider the business threatening lawsuits that would be sure to follow (even if you are diligent in protecting your customers’ data). When it comes to bankcard processing, the most important thing for you to understand is that you, the retailer, will be held accountable for any direct losses if your customers’ credit cards are stolen and the resulting penalties and fees could easily destroy your business. Furthermore, if a breach occurs you will be subject to hefty fines, forensic audit costs, and recertification costs. Your liability is not just for the loss of your credit card sales but for the sum total of the credit limits of all cards you are processing (or more directly have on your system at the time an encroachment is detected)!
While credit card security is important for any retailer processing bankcards through Point of Sale, the security risk involves any retailer who maintains any credit card information anywhere on a computer: be it any sort of electronic list, email, Microsoft Word© document or any customer profile. Technically, you are even responsible for security breaches on your computer if your own credit card number is on your computer! And as long as we are at it, you need to remember that there are other types of confidential information anyone might store on a computer that represent liability risk such as Social Security Numbers, Drivers License numbers, and of course all the passwords used to secure not only these but your own financial information. Even if the principals of a business are personally careful and diligent with security they are also responsible for the actions of their entire staff. If you carry any kind of Accounts Receivable, Store Credits, Gift Certificates, Gift Cards (remember that Target had their Gift Cards hacked), etc. you have additional personal security risks. Forgetting even malicious attacks on sensitive information, the cost of viruses and data corruption in time and direct costs alone is frustrating and expensive enough to warrant improved system security. It is safe to assume that everyone has a need for improved computer security!
If you really want to protect yourself from legal liability (and you should), you are going to have to invest at least time, and in some cases money, to better protect yourself from these thieves and the associated liability in the event your data is compromised. You are already responsible for performing an internal annual security audit which I’ll bet you aren’t performing. Any measure you take now will help you protect your liability, and more importantly even the possibility of having your customers’ confidential data being compromised. It is important to understand that security is not a one time or annual consideration; it must be an ongoing effort. The bottom line is that you could, at great cost, do everything humanly possible to secure your business, and even if you had the resources of the National Security Administration you could still get hacked tomorrow by some new method of the ingenious idiot and be held liable. As a small business person you have to keep in mind the risk-reward factor in security. We can’t afford the best money can buy, but we don’t need to. Hackers aren’t targeting the smaller retailers like they do big companies or the NSA; in fact, hackers are first and foremost looking for low hanging fruit. If a tiger is chasing us we don’t have to be the fastest runner, we just need to be faster than the person running next to us! You can’t afford perfect protection but you can’t afford to ignore security.
Some changes you will (or should) be seeing in the near future with your system are:
* Allow you to minimize the level of cardholder information retention
PCI DSS requirements:
* Build and Maintain a Secure Network
* Protect Cardholder Data
* Maintain a Vulnerability Management Program
* Implement Strong Access Control Measures
* Regularly Test Networks
* Regularly Monitor Networks
You need to implement sound security policies and work toward a fully compliant Security Policy. Not only is it in your self interest, I suspect that the PCI DSC will continue to make further demands to assure proper security is implemented. Of course the hope is that the changes they are imposing on all software suppliers and providers of credit card authorization services will reduce fraud and losses. What you must remember is that the wolves of the world are also taking advantage of new technologies. If your store’s system has not been compromised, it is only a matter of time!
If you do not know if your software provider is doing all that needs to be done about this issue, NOW is the time to find out!