Cuomo’s Column: PCI DSS…ASAP!
By Sal Cuomo, Business Technology Consultant
If you have ever had your wallet or purse stolen (or misplaced) you are familiar with the sinking feeling of despair. The mental self-flagellation that convinces you of our natural born flaws. Those of us who use or accept credit cards we have more worries.
It’s unfortunate with all of the progress technology affords us we still have deal with the criminals of the IT world gumming up the works.
This month another major retailer has become susceptible to a security breach of their customers data. In January it was reported the bulls eye was placed on yet another during the busiest part of the retail season. As a business owner, regardless of size you need to be aware of security standards as they affect your livelihood.
The Payment Card Industry (PCI) Data Security Standard (DSS) regulates the credit card processing industry with requirements for the secure processing of card data. PCI is not a law, but a standard of doing business agreed on by the 4 largest credit card companies.
Regardless of your size or revenue if you have a Merchant ID these requirements pertain to your business.
These requirements are taken from the PCI Security Standards Council published in 2010.
Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.
Protect Cardholder Data
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software or programs
Requirement 6: Develop and maintain secure systems and applications
Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need to know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data.
Requirement 11: Regularly test security systems and processes.
Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security for all personnel
If your business can’t confirm that these requirements are being met its time for a checkup from your friendly IT professional.
So you’re saying to yourself “I’ve been in business X amount of years. If it hasn’t happened already it won’t. “
The penalties are pretty clear as described on pcicomplianceguide.org: “The payment brands may, at their discretion, fine an acquiring bank $5,000 to $100,000 per month for PCI compliance violations. The banks will most likely pass this fine on downstream till it eventually hits the merchant. Furthermore, the bank will also most likely either terminate your relationship or increase transaction fees. Penalties are not openly discussed nor widely publicized, but they can catastrophic to a small business.
It is important to be familiar with your merchant account agreement, which should outline your exposure.
Another concern is Heartbleed, a security bug which has effected a number of websites and major online retailers. This security flaw exposes web server’s privacy keys, user cookies, and passwords. It is estimated that 17 million websites had been compromised. As a consumer, the industry’s best advice is to change your password information on all web sites that may store your personal or financial information.
Fortunately, it appears as if the industry took quick action and many sites that were vulnerable have been fixed. Time will tell if there has been any damage on the consumer level.