Entries tagged with “compliance”.


A major national insurance company announced this week that its network had been compromised and more than 1 million customer records were stolen. Among the data included in the breach are “people’s names and a combination of Social Security numbers, driver’s license numbers, their date of birth, and possibly marital status, gender, and occupation, as well as the names and addresses of employers.”  A company spokesperson said that there is no evidence that credit card information or medical information was involved in the breach.  Affected individuals are being notified and offered free credit monitoring services.

It is interesting to note that this is the latest compromise in which sensitive personal information was stolen, while credit card data seems not have been involved.  A few months ago, South Carolina had a similar type of incident in which social security and banking information was compromised, while the encrypted cardholder data remained secure.  Now, I don’t have any details or knowledge of these events outside what is printed in the releases or articles, but it does leave me thinking of a very important reminder: PCI DSS only addresses cardholder data, not any other sensitive personal information.  Birth dates, routing numbers, social security numbers and other sensitive are left out in the cold with respect to PCI DSS, though they merit just as much, if not more, protection than cardholder data.

PCI DSS only applies to cardholder data.  It provides a baseline of protection for credit and debit card information.  Nowhere in its requirements does the PCI DSS require companies to protect social security numbers, bank routing information, birthdates or any other sensitive information.  Many companies take great pains to comply with PCI DSS and the standard has done a lot of positive things for an industry that desperately needed to implement strong security.  However, simply being PCI DSS compliant does not mean that all the sensitive data in an organization’s environment is protected.  A serious obstacle to overall security arises when companies believe that compliance with PCI DSS equates to security.

PCI DSS provides a good launching point for security initiatives.  Many of the requirements contained in the standards are best practices (if not requirements) for other types of data, as well.  It is tempting, particularly with so much focus on compliance, to focus on PCI DSS and cardholder data to the exclusion of everything else.  It’s important to remember, though, that companies have many types of data in their networks.  Companies would be well-served to conduct a data inventory, find out what they really need and what they don’t need to keep.  If it is needed, then it should be adequately protected. If it is not needed, it shouldn’t be stored.  Excess data is excess liability.

When we talk about the protection of data, particularly sensitive personal information like credit card or social security numbers, we often focus on “digital data.”  By digital data, I mean that data that is stored in our networks and computers, our POS systems and other “networked” appliances.  It’s easy to lose sight of the fact that copiers, printers, and fax machines are often “networked appliances,” complete with memory.  That means that it is conceivable that when you send a fax or make a copy, that appliance could retain that data in its memory.  As a result, that appliance now represents a point of vulnerability for the network.

The ability of these devices to store data should also be a consideration with looking to lease or buy previously used equipment, particularly when buying or leasing used POS equipment.  You may be introducing someone else’s liability into your secure environment.  This is where having proper policies and procedures becomes vitally important.  Merchants should have a process for evaluating security options on the device or equipment (does it allow for overwriting or encrypting the data in memory?); security procedures should also be in place to ensure that the device memory is regularly overwritten to avoid data leakage.

The PCI DSS specifically requires that companies “Protect Stored Cardholder Data Wherever it is Stored.”  Unfortunately, as our businesses grow, that often means that our cardholder data environment grows along with it.  Information security policies and processes become more and more important.  It can also be helpful to find strategies for limiting the size of the cardholder data environment.

Recent reports indicate that small businesses tend to overlook the threat of a data security breach.  Controlscan, a company that specializes in assisting small and medium sized businesses with PCI compliance issues, recently completed a study in cooperation with Merchant Warehouse.  The findings indicate that close to 80% of the surveyed merchants felt that they had little to no risk of a breach.  What’s more, according to ControlScan’s CEO Joan Herbig, close to half of the merchants surveyed hadn’t even heard of the PCI DSS.  These findings indicate a serious lack of communication between ISOs and Acquirers and their small merchants.

Since 2006, all organizations that store, process, or transmit cardholder data have been required to comply with the data security requirements contained within the Payment Card Industry Data Security Standard.  In fact, the Payment Card Industry Security Standards Council has even created a microsite dedicated to educating small merchants on the PCI DSS and their obligations under that standard.  The ramifications of non-compliance are many and can be overwhelming even for large merchants.  Should a breach occur, the fines, fees, and penalties can quickly add up and in many cases have put companies out of business.

This post could easily take on an alarmist tone.  Some might say that it already has.  Regardless, though, small merchants must comply with the same set of standards to which large companies are beholden.  How can one do that with comparatively limited resources?  By trying to limit the places in the merchant system that store, process, and transmit cardholder data.  Using a solution that processes payment card transactions using point to point encryption (P2PE) and tokenization can serve two objectives – making the data more secure, and reducing the burden of complying with the PCI DSS.

If you are a small merchant and you haven’t heard about PCI DSS or aren’t sure what you should do, reach out to your ISO or Acquirer.  They can explain what the standard requires and how you can achieve compliance.

This may sound like I’m beating an old drum, but I think it’s important that this point be well-discussed and well understood.  When it comes to data protection, merchants (and sometimes even processors and other payment organizations) can become fixated on PCI DSS compliance.  Compliance with the PCI DSS is important – don’t get me wrong.  Protecting cardholder data is very important.  Trust is the oil that slicks the payment rails.  Customers need to be confident that their everyday transaction isn’t going to lead to identity theft or even just card data compromise.  The industry as a whole has made tremendous progress in protecting cardholder data.  But what about the other data in our system?  Are we paying attention to that?  Maybe we are PCI DSS compliant, but are we adequately protecting Social Security Numbers?

This is a discussion that occurs frequently in conferences and workshops, but doesn’t always get communicated to the merchant level. Let’s take a quick look at some of the existing regulations and the types of data that are impacted:

Payment Data/Customer Data PCI DSS
State PCI DSS Laws (NV, WA)
State Data Security Laws (ex: MA)
Health Information HIPAA
HITECH
Financial Information Gramm-Leach Bliley Act
State Data Security Laws
Company Information Sarbannes-Oxley (Public Companies)
Civil actions

Keep in mind that this is by no means an exhaustive list, but it does provide some notion of the types of data, beyond just the cardholder data, that has to be protected.  In addition to these laws, the courts are rapidly setting precedent on implied warranties between customers and merchants. In other words, in taking the data from the customer to facilitate the purchase, the merchant may have an “implied duty” to protect that data and may be held liable to customers in the case of a data breach.  This area is rapidly developing and should be carefully watched.

The point here is that while compliance with PCI DSS is important, both in terms of protecting consumers and in avoiding non-compliance penalties, companies should be aware of all the types of data in their environment.  Knowing what kind of data is being stored will help in taking the appropriate protective actions.

“When good people…cease their vigilance and struggle, then evil men prevail.” - Pearl S. Buck

When I was learning to ride a motorcycle my instructor gave me one piece of advice that always stayed with me.  He said “keep your head on a swivel.”  In other words, while I had to make sure that I was doing everything I should be doing, I also had to make sure that I was constantly looking out for what other people may be doing.  That way I could correct my course, or at least take some action to ensure that what the other people were doing wouldn’t put me in danger.  While this is certainly good advice for riding motorcycles, it is also good advice for data security.  It may seem like a stretch, but bear with me.

In securing our customers’ payment data, we have a guideline (actually a set of fairly stringent requirements) in the form of the Payment Card Industry Data Security Standards (PCI DSS).  To learn more about these standards visit this site.  Following these guidelines ensures that we are doing what we “should” in terms of protecting the data.  But that doesn’t mean that others won’t be taking action to put you (and your data) in danger – in the form of data compromise.  That means that you have to stay vigilant for what others might be doing – “keep your head on a swivel” –  to ensure that you are addressing newly identified risks and vulnerabilities that may not be addressed by the guidelines.

Recent trends indicate that small merchants are increasingly becoming targets of data thieves.  In a recent interview, Vantiv Vice President David Mattei stated, “…now we’re seeing an increase in the number of breaches in which smaller numbers of cards are compromised. Small, independent merchants are being targeted because of the ease with which fraudsters can compromise those payment systems.” That means that as small merchants, even if we are PCI DSS compliant, we must remain vigilant against potential attack.  One way to foil the fraudsters in this case is with the use of a P2P Encryption and tokenization solution. In this instance, the data is removed from the merchant system and replaced with “tokens,” or abstract representations of the cardholder data.  While merchants can still use the data to run reports, issue refunds or fight chargebacks, data thieves would find the tokens to be worthless.

The lesson in all of this is that we must remain on guard against new threats, even if we are doing everything “by the book.”  Leveraging secure technologies like tokenization can help ease the burden of compliance and render you and your customers more secure in the long run.