It’s every retailer’s nightmare. It’s every customer’s big fear too. In March 2007, computer hackers compromised at least 45.7 million credit and debit cards by infiltrating the network of TJX (the company that owns TJ Max and Marshall’s department stores in the United States). From July 2005 until the discovery in December 2006, thieves ran amuck in what was touted as a secure network. The hackers got their hands on information dating as far back as 2003.
 |
New payment card security rules come into effect on July 1 and you’ll need to prepare your shop to ensure you meet the standards.
|
It is also believed that the hackers had access to the decryption tool for their encryption software, making PIN numbers, credit card numbers and any other unique identifiers easy for hackers to see. Legal documents reveal that another 455,000 customers who returned merchandise without receipts had their driver’s license numbers stolen. This and many other security breaches have prompted the credit card companies to band together to address security standards. What’s been developed has implications for every retailer that takes any kind of card payment and the date of reckoning is July 1, 2010. This is the date by which U.S. and Canadian acquirers must ensure their merchants and agents only use PA-DSS (Payment Application Data Security Standard) compliant payment applications. Protecting yourself and your customers from theft sounds harder than it is. With a little information and some well crafted support you can make your system much more secure.
Subsequent to the TJX breach, a set of standards was developed for the payment card industry (PCI) to avoid such a catastrophe again. The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that all companies that process, store or transmit credit card information maintain a secure environment. Essentially, any merchant of any size that has a Merchant ID (MID) will be required to comply with these standards. If your business takes any form of card payment, then these standards apply. Don’t make the mistake of thinking that smaller businesses are immune to being targeted – in fact, they’re often easy prey. Small merchants with fewer than 20,000 transactions per year represent two-thirds of all Visa transactions, and more than 99 per cent of all the merchants that accept Visa. Many small businesses don’t realize that their POS (point of sale) systems are storing the sensitive information loaded on the magnetic strip of consumer debit and credit cards. This information is a windfall for thieves and of particular interest to them. Firewalls are weak or non-existent and hackers can have their way with the data for months before they’re detected. Typically, card companies pick up on suspicious activity and then notify the acquiring bank, which functions as the middle man between the merchant and the card company. The merchant is often on the hook for the fraudulent transaction and possibly subject to additional fines for not being PCI compliant. These unexpected costs can add up to such a significant bill that merchants can be snuffed out overnight.
All merchants fall into one of four levels, with varying degrees of obligation under the PCI standard. You will be considered a level one merchant if you process more than six million card transactions a year, if you’ve had had a security breach in the past or if, for some other reason, you are deemed to be high risk for a breach. A level one merchant must submit to an external audit and quarterly scans of its data security systems. Level two merchants process one million to six million payment card transactions per year. In this grouping, an annual payment card operation self-assessment questionnaire and quarterly network scans must be performed by the merchant or an independent Approved Scan Vendor. Level three and four merchants process fewer than one million transactions per year and must follow the same protocol as level two merchants to be compliant. If your business does suffer a breach of security and you have taken the steps to become compliant and followed the required documentation procedure, then you could save both money in fines and your reputation with your customers. Compliance can be achieved by folllowing five simple steps:
1) Start by downloading a copy of the questionnaire so you can see exactly which security measures will be expected of you. You can find copies of the questionnaire on MasterCard and Visa websites as well as www.pcicomplianceguide.org . There are five versions of the questionnaire; depending on what kind of credit card processor you use (online, phone or Internet connection).
2) Retailers will need to get a free scan from approved scanning vendors. Scan results will include a list of vulnerabilities ranging from “none” to “urgent.” Those vulnerabilities ranked at severity 3 (high), 4 (critical) and 5 (urgent) will be reported on your free scan, and must be fixed. Make sure the scanning vendor you call is on the approved list (visit the PCI Security Standards Council website for a list of approved vendors, https://www.pcisecuritystandards.org/pdfs/asv_report.html ) to avoid allowing thieves into your system under the guise of compliance testing. Submit the proof of your passing scan to your acquiring bank.
3) The third step to compliance is to take measures to address any weaknesses. If the list of your store’s vulnerabilities from your free scan is too long, consider switching to an off-site, third-party credit card processor such as PayPal.
4) Next up, you may need to hire a Qualified Security Assessor or “QSA” to help you address your list of vulnerabilities. QSA are certified by the PSI Security Standards Council to help merchants become compliant.
5) The final thing you as a retailer must continue to do is to be diligent. It’s a given that these thieves won’t just roll over and give up hacking overnight because card companies, banks and retailers decide to step up their game. As we get savvier, so will the bad guys. The best defence is a good offence, so know what information your system stores and, if you don’t need it, get rid of it. If you do need it, guard it closely. After all, it’s not just your profitability that’s at stake, it’s your reputation.
Areas for Regular Review
- Immediately change default passwords when installing any program.
- Have vulnerable portions of programs removed if not needed.
- Do not store unnecessary cardholder data on your site.
- Check security bulletins for SQL Injection warnings before installing a new program.
- Keep software up to date with all patches and upgrades.
- Use activity logging on your online store files.
- Check log files for suspicious activity that you did not authorize.
- Do regular vulnerability scans, even if you are not required.
- Use a firewall and secure encryption.
- Use and keep up to date anti-virus, anti-spyware and anti-adware programs.
- Create an Information Security Policy for employees and contractors.
- Shred paper documents containing credit card information.
(Source: www.ecommerce-guide.com )
|
|
