Feb 13 2012
For small merchants, and really for any merchant, PCI DSS compliance can offer any number of difficulties. For small merchants, though, lack of resources and information about the Standard can have a crippling effect on compliance. Fortunately, there are now services like ProtectPay that can help small merchants comply with large portions of the PCI DSS with minimal resource investment. For very small merchants, encryption and tokenization efforts can ensure that cardholder data doesn’t traverse your computer, your equipment, or your network. (This works well for larger merchants, as well, though more integration may be necessary to ensure coverage for all payment acceptance channels.) However, the PCI DSS does not apply only to digital data or to the transaction itself. It applies to “hardcopy” data and to stored data, as well. How can small merchants help maintain PCI DSS compliance for these types of data? Here are a few tips.
1) Do not store cardholder data in spreadsheets or other computer files.
It may be tempting to store your customers’ payment information so that you can easily process a payment the next time a purchase is made. Unfortunately, storing the data on your computer leaves you and your customers vulnerable. If your computer is compromised, a thief could easily access that information. Additionally, having cardholder data on your computer, particularly in an unencrypted format, is a violation of PCI DSS. If you are storing data like that, merely losing your laptop could result in a finding of a data breach, with the attendant fines, fees, and penalties. Many services, including ProtectPay, allow merchants to securely store customer data, without having to worry about PCI DSS compliance or data security.
2) Do not write down cardholder data, if you can avoid it.
It seems so easy. Just write the data down and process the transaction when you get home. However, even written cardholder data can bring companies “in scope.” That data must be protected, just as electronic data must be.
3) Make sure that sensitive data has a secure storage location.
If you must write down data, you should make sure that you have a safe place to store it. Leaving sensitive information on desk or otherwise out in the open can leave it vulnerable to misuse. Large companies often have “clean desk” policies, which require that employees clear their desks of sensitive papers and ensure filing cabinets and desk drawers are locked at the end of the day. This helps to protect company data as well as customer data. Small merchants can also adopt this policy to help protect themselves and their customers.
4) Ensure that any data that is written down is properly disposed of when it is no longer needed.
It is a fact of business that you may be unable to completely forgo writing down card numbers. Whatever the reason, you must ensure that once the data is no longer needed, it is destroyed or rendered unrecoverable by thieves. “Dumpter diving,” in which a thief goes through trash trying to find personal and financial information, is a popular technique among identity thieves. Papers that contain personal information, including credit or debit card numbers, driver’s license numbers, social security numbers and other sensitive information, should be shredded before it is placed in the bin. Crosscut shredders are preferable, as this type of shredding makes recreating the document more difficult.
Certainly there are other practices that can also help protect small businesses, but these four steps can help significantly reduce the risk of a “hardcopy” data compromise.
Dr. Heather Mark, PhD; SVP Market Strategy