A while back, I wrote about helping my friend prepare for a PCI DSS audit and the travails we went through. We got together for coffee the other day and he was all smiles. "I got that damn PCI monkey off my back."
I should explain. He calls it something else, but plain and simple, my friend squeaks. So, when he took over a company, he decided to handle credit-card transactions directly with the bank and take care of PCI DSS compliance in-house to save money. That's when I got involved. Then, he started reading about fines and what happens if a data breach results from non-compliance. For example, VISA's take:
"If a member, merchant, or service provider does not comply with the security requirements or fails to rectify a security issue, Visa may fine the responsible member."
Visa also mentions:
"To prevent fines, a member, merchant, or service provider must maintain full compliance at all times, including at the time of breach as demonstrated during a forensic investigation."
Outsourcing is not the complete answer
I had an idea of what he did, but I let him continue. "It costs more, but I decided to outsource credit-card processing."
"That's all well and good," I pointed out. "But, you're not off the hook. Remember when you were getting audited? I asked the guy about that."
He told us, "Outsourcing does not automatically guarantee compliance."
My friend came back, "Well, it's still better than doing it myself."
"Outsourcing simplifies payment card processing but does not provide automatic compliance. Don't forget to address policies and procedures for cardholder transactions and data processing. Your business must protect cardholder data when you receive it, and process charge backs and refunds.
You must also ensure that the provider's applications and card payment terminals comply with respective PCI standards and do not store sensitive cardholder data. You should request a certificate of compliance annually from providers."
The emphasis is mine. Because it is the main reason business owners get into trouble with PCI DSS compliance.
Affirmation of problem
I added more misery. I told my friend about a press release from SecurityMetrics. The organization provides independent security audits to affirm compliance with PCI DSS and a slew of other acronyms. They referenced the very problem of storing sensitive data.
SecurityMetrics has determined that over half the systems they tested store unencrypted payment card data. That's a big no-no, and, a violation of PCI DSS. Brad Caldwell, CEO of SecurityMetrics points out:
"Improper storage of payment-card information puts cardholder data at risk. Our testing suggests that the problem remains surprisingly widespread even with increasing industry emphasis on the need for compliance with PCI DSS regulations.
Proactively looking for unprotected data with a tool like PANscan can help close this security gap and potentially thwart future theft incidents."
What to look for
To be honest, I didn't get it. If the process is out-sourced, why is any critical data stored on the merchant's computers? Better ask the experts. So, I contacted SecurityMetrics. Jon Clark, Product Marketing Manager took my call and was not surprised at my confusion. He mentioned store owners are in the dark as well:
"After our team finds unencrypted payment card data on computer systems, many merchants say that they didn't know they had any card data. Unfortunately this is too often the case; many merchants are simply unaware they have any unencrypted payment card data stored."
To make sure we were on the same page, I asked Mr. Clark what PCI DSS considers sensitive data. He responded:
"PCI DSS requirements do not allow unencrypted Track 1, Track 2, and Primary Account Number (PAN) data to be stored on merchant machines, information obtained from the magnetic stripe on payment cards."
Next, Mr. Clark provided the following reasons why data may be accidentally stored at the point of sales:
- Often, payment applications are not configured properly and leave data sitting around for a hacker to easily take.
- Make sure your payment application is PA DSS compliant. Sometimes non-compliant applications automatically store card data in an unencrypted manner.
- Merchants can store card data in Word or Excel files trying to streamline payments and make things convenient for their customers.
I then asked what should be done if unencrypted-card data is found. Mr. Clark offered this advice:
"If merchants find unencrypted payment-card data, they should securely delete the data from their systems. If a merchant is hacked and the data is stolen by criminals, the merchant is liable and will be the one paying.
To further reduce liability, it's important to train employees not to store unencrypted payment-card data in any format."
PANscan to the rescue
Remember SecurityMetric's CEO Mr. Caldwell mentioning PANscan earlier? Good. The name applies appropriately to scanning for the primary account number. Anyway, it's a free app provided by SecurityMetrics giving merchants the ability to scan their computers for unencrypted payment-card data. PANscan accomplishes this by:
- Searching for cardholder data on local hard drives, optical drives, and network servers.
- Triple checking results to ensure accuracy.
- Publishing a summary report upon scan completion.
The following slide depicts the PANscan interface:
I wanted to accomplish three things with this article:
- Point out that a data breach resulting from PCI DSS non-compliance is going to be costly to the person responsible.
- Outsourcing payment-card processing is not a guarantee of PCI DSS compliance.
- It is possible to determine if unencrypted payment-card data is stored on your computers.
An important FYI
You may have noticed that fellow TechRepublic writer Jack Wallen has a new article about Intuit's GoPayment for Android phones. It is a nifty way to collect credit-card payments using a smart phone, Intuit's app, and a special card reader.
I'm hoping that after reading this article, you would do significant CYA before using this or similar payment methods. The same regulations that apply to "brick and mortar" store owners apply to those using this technology.
Meaning, the person receiving payment is ultimately responsible for safe-keeping of the individual's financial information gleaned off of the magnetic stripe, and subject to all fines and costs attributed to loss of that data
I try to stay on top of PCI DSS requirements. But, it's tough. That's why I'm glad when I find applications like PANscan that help simplify the process and prevent additional hardship.
Thanks go to Jon Clark and SecurityMetrics for their app and answering my questions.
Information is my field...Writing is my passion...Coupling the two is my mission.