It seems almost a week cannot go by without some news about a retailer being breached and credit/debit card data being stolen in the process. The expected response should be who is doing this and how can I prevent it from happening? Unfortunately the more common response being seen in the market today is that I am too small, the cyber thieves will not target me.
It is easy to follow along the train of thought, you are too small, guys like Target or Neiman Marcus are more appealing for cyber thieves to hack in and take millions of card accounts to monetize them on the black market. Yes while it is true major retailers do provide a larger field of opportunity but those firms can sustain and survive a breach. What is not as reported is the total number of breaches that have occurred YTD with retailers and the sheer number of those are small to medium market retailers not the big box names or mall stores that are more publically known.
What is less known by retailers is how does the payment card industry set the PCI Security Standards in which card payment accepting businesses need to follow? So even if the retailer wants to become more secure, what do they need to do? I am often asked this by retailers and it’s typically from a business being confused by how they need to comply!
When you read through the news reports, review opinion or white papers the information on PCI, no doubt for the common the retailer it’s confusing. In simple terms, the card industry came together to form the PCI Security Standards Council (PCI-SSC) which in turn created security standards that businesses whom transact card payments need to adhere to. The standards include requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. Now that is a mouthful and the intent of this article is to provide some overall definition.
First the PCI-SSC has set four merchant classification tiers all based on the number of card transactions a merchant takes in one year.
Merchant Level Description
1. Any merchant — regardless of acceptance channel — processing over 6M Visa transactions per year. Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system.
2. Any merchant — regardless of acceptance channel — processing 1M to 6M Visa transactions per year.
3. Any merchant processing 20,000 to 1M Visa e-commerce transactions per year.
4. Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants — regardless of acceptance channel — processing up to 1M Visa transactions per year.
To clarify the merchant levels, e-commerce transactions means card payment transactions communicating via internet protocol (IP). For retailers who use payment devices or POS systems that dial out for authorizations (traditional land-lines) have higher transaction count under level 4 before graduating up to level 2. Since many counter top card payment devices are IP based today and Point of Sale (POS) programs are equally communicating via IP, if the card payment transmits via that method, the PCI Council deems it at the e-commerce level.
Why more focus on e-commerce based transactions, while the internet is an incredible tool today and extremely effective in speed and data transmissions, viruses, malware and general intrusions happen via this communication channel. If we take a look at examine what happened at Target, the reports to date via the forensics firm who is auditing the breach there shows that a third party vendors system created an access point into Target’s POS network, in a nutshell a backdoor to access via! Through the IP protocols the offshore hackers were able to network and load malware onto the payment devices at the checkout lanes. So essentially when cards were swiped by customers, the malware captured the card data and it was transmitted back out of the network via IP.
Now what I have said thus far could have one’s head beginning to spin if not already in full orbital rotation. My intent is not to create that feeling but rather hopefully get you to pause for a moment and take stock of your current environment! Going back to the beginning of this article, the PCI Standards are meant to create a check list of protocols basically you are supposed to follow. To take stock in how you are handling card data. I will help you in this process below.
• Are you storing any card data information today? Storing means on papers, card numbers stored on a hard drive or server in your store or localized somewhere else?
• Does your card payment device suppress card numbers on the receipts?
• Do the sales clerks take the customers card, swipe and hand them back?
• Do you store card numbers onsite in any other manner not mentioned above?
• If using a third party to store card numbers, how are they being stored and in what manner can you call them back up for any type of billing?
• If you are using a software POS program that is integrated for payment card acceptance, are card numbers stored in that POS?
• Do you have a unique user name/password combination for your sales/counter clerks?
Certainly the questions go on and actually for level 3 & 4 merchants, the PCI Council has developed what is called Self- Assessment Questionnaire (SAQ) that covers it. Every level 3 & 4 merchant is required to have the SAQ completed annually with level 3 merchants also being required to have scans run of their network.
Understanding PCI is important and making sure your business adheres to the standard is a necessity. It will not guarantee against a breach but certainly makes your store more secure. You take steps to protect your inventory. SSA
Joe Radest started his career in card payments in 1998 working for the industry giant First Data. During his tenure at First Data he was responsible for launching & managing a number of their bank alliance. Since FDC, Joe has worked with other notable processors – TSYS, Global Payments and Chase Paymentech. Nearly 3 years ago, Joe branched out on his own; providing complete end to end business process management and secured payment technology solutions, which affords business clients the ability to securely transact payments without having sensitive data touching their environment. He can be reached by phone at 770-731-0414 or by email at [email protected]