Last week ProPay organized a webinar to help businesses who accept credit cards understand the obligations they have to their customers and through regulation to ensure their customer’s credit card information is not compromised.
The webinar (get more information about it here) helped the attendees understand that criminals are not just going after “big businesses” they are probing and trying to find any vulnerability in order to steal credit card (and other) information they can use to steal money. It all boils down to theft.
The criminals targeting your business are well funded, very well organized and experts.
Another thing you MUST keep in mind is that if you accept credit card data you must be compliant with the credit card companies guidelines. This is referred to as Payment Card Industry (PCI) compliance. You can find a lot of information at the PCI Security Standards Council web site.
Of course one option is to NOT store credit card information. You might ask, how is that possible. Well one solution is to use a product or service that serves as an intermediary and encrypts the credit card information and sends the data to a 3rd party for storage. ProPay offers this type of solution.
Dr. Tim Cranny who is the CEO of Panoptic Security gives some useful tips on how you can have better secure and about PCI compliance.
Don’t ignore it, even if you think you’re too small to be affected
PCI applies to every merchant, no matter how small, who accepts credit cards or debit cards branded by Visa, MasterCard, Discover, American Express, or any of the other major card brands. Smaller merchants have a lighter paperwork burden than large organizations, but failure to comply can, and does, lead to legal and financial risk, up to and including the risk of having their card-processing privileges revoked, leaving them unable to accept customer payment cards.
Know your obligations
PCI is a highly technical and broad-ranging set of security requirements, covering everything from how you configure and manage your computers to how you train and manage your staff. The best place to start for smaller merchants is to look at the official Self-Assessment Questionnaires created by the PCI council (https://www.pcisecuritystandards.org/saq/index.shtml). These don’t cover everything you need to know, but do give you a quick sense of what you need to do, and what to worry about most.
Know your real goal (security, not compliance)
At the end of the day, PCI is all about helping merchants protect their customers, so you shouldn’t be looking to do the bare minimum or just “tick the boxes”. Merchants who concentrate on their customers’ safety will have a better business, less risk, and will find that PCI success comes almost as a painless symptom of doing the right thing.
It is critical that merchant don’t wait until something goes wrong and then try to react. Doing so never works with security issues, and often leads to expensive disasters. The right approach is to think about these problems in advance, and put together a working solution before disaster strikes.
The key to handing PCI and other security issues cheaply and efficiently is to avoid problems, not conquer them. The next few tips explain this in more detail.
Limit the scope
PCI is only concerned about computers, people, and systems that might deal with cardholder data such as credit card numbers. If you separate your world into an “affected by PCI” zone and a “not affected by PCI” zone, you can simplify your life dramatically by keeping the PCI zone small and simple. Every computer or piece of software you add to the PCI zone means more paperwork, more danger, and more expense.
Don’t store cardholder data unless you absolutely have to
The single biggest and messiest area of PCI has to do with any cardholder records that you store electronically. The best and cheapest answer is to simply NOT keep any such records: then you get a simple automatic pass on lots of very tough questions, and your business is significantly safer.
Don’t use unnecessary technology
Every new piece of technology that you introduce into the ‘PCI zone’ makes your life more complicated and risky. For example, wireless computer networking is convenient for many people, but if you use it in a way that overlaps with PCI, you have to worry about a number of highly technical questions about encryption, device configuration, key management, and so on. It is often much simpler and safer to keep new technologies like wireless completely separated from anything to do with cardholder data.
No silver bullets
PCI is turning into big business, and that means that many companies are making extravagant promises about how their solution will make all your PCI worries go away. There are many products that can help you, but don’t get fooled into believing that there’s a “silver bullet” that will kill all your problems. PCI is complicated and demanding, so don’t get fooled by snake-oil salesmen.
It never goes away
Unfortunately, security is like physical fitness: you have to keep working on it all the time, rather than just doing a ‘special project’ once a year and then forgetting about it until next year. The right approach is to make it a small, but steady, part of your everyday.