For small merchants, and really for any merchant, PCI DSS compliance can offer any number of difficulties.  For small merchants, though, lack of resources and information about the Standard can have a crippling effect on compliance.  Fortunately, there are now services like ProtectPay that can help small merchants comply with large portions of the PCI DSS with minimal resource investment.  For very small merchants, encryption and tokenization efforts can ensure that cardholder data doesn’t traverse your computer, your equipment, or your network.  (This works well for larger merchants, as well, though more integration may be necessary to ensure coverage for all payment acceptance channels.)  However, the PCI DSS does not apply only to digital data or to the transaction itself.  It applies to “hardcopy” data and to stored data, as well.  How can small merchants help maintain PCI DSS compliance for these types of data?  Here are a few tips.

1) Do not store cardholder data in spreadsheets or other computer files.

It may be tempting to store your customers’ payment information so that you can easily process a payment the next time a purchase is made.  Unfortunately, storing the data on your computer leaves you and your customers vulnerable.  If your computer is compromised, a thief could easily access that information.  Additionally, having cardholder data on your computer, particularly in an unencrypted format, is a violation of PCI DSS.  If you are storing data like that, merely losing your laptop could result in a finding of a data breach, with the attendant fines, fees, and penalties.  Many services, including ProtectPay, allow merchants to securely store customer data, without having to worry about PCI DSS compliance or data security.

2) Do not write down cardholder data, if you can avoid it.

It seems so easy.  Just write the data down and process the transaction when you get home.  However, even written cardholder data can bring companies “in scope.”  That data must be protected, just as electronic data must be.

3) Make sure that sensitive data has a secure storage location.

If you must write down data, you should make sure that you have a safe place to store it.  Leaving sensitive information on desk or otherwise out in the open can leave it vulnerable to misuse.  Large companies often have “clean desk” policies, which require that employees clear their desks of sensitive papers and ensure filing cabinets and desk drawers are locked at the end of the day.  This helps to protect company data as well as customer data.  Small merchants can also adopt this policy to help protect themselves and their customers.

4) Ensure that any data that is written down is properly disposed of when it is no longer needed.

It is a fact of business that you may be unable to completely forgo writing down card numbers.  Whatever the reason, you must ensure that once the data is no longer needed, it is destroyed or rendered unrecoverable by thieves.  “Dumpter diving,” in which a thief goes through trash trying to find personal and financial information, is a popular technique among identity thieves.  Papers that contain personal information, including credit or debit card numbers, driver’s license numbers, social security numbers and other sensitive information, should be shredded before it is placed in the bin.  Crosscut shredders are preferable, as this type of shredding makes recreating the document more difficult.

Certainly there are other practices that can also help protect small businesses, but these four steps can help significantly reduce the risk of a “hardcopy” data compromise.

Dr. Heather Mark, PhD; SVP Market Strategy

Over the past year, the payments industry has been abuzz with news of Visa’s plan to encourage adoption of EMV technology.  While many in the payments industry have a clear understanding of what EMV is and how it might impact our business, for small merchants the term just adds on to the growing list of acronyms with which they must now be familiar.  PCI DSS, PA DSS, QSA, SAQ, and now EMV.   But what is EMV and what do small merchants need to know about it?

EMV itself is a standard begun by Europay, MasterCard International and Visa International. (Its current members are American Express, MasterCard, Visa, and JCB.)  The three companies joined together to form EMVco, whose purpose is “to manage, maintain and enhance the EMV™ Integrated Circuit Card Specifications for Payment Systems.”  In other words, the company was formed to promote the use of “smart cards.”  A “smart card” is essentially a payment card with an embedded micro-processor, or chip.  Because the chip can hold much more information than a magnetic stripe can, EMV enabled cards support multiple methods of authentication.  This ostensibly makes the process more secure for both the merchant and the consumer.   Since the chip can support dynamic and static authentication as well as online and offline authentication, the theory is that using EMV means that the risk of compromised card data being used fraudulently is significantly lower than with magnetic stripe data.  In other words, even if the data is compromised, it is less likely that it can be used to perpetrate fraudulent transactions.  As a result of its capabilities with respect to fraud prevention, Visa is strongly encouraging the US payments industry to move towards EMV.  So, what does this transition mean for merchants?

1) The requirement to comply with PCI DSS will remain - Visa’s program states that if a merchant can verify that at least 75% of its transactions are EMV, then the requirement to validate compliance with the PCI DSS can be waived.  It should be noted, though, that it is only the requirement to validate compliance that is being waived, not the obligation to comply itself.  Another important caveat to this validation waiver is that only Visa has so far extended this offer.  Merchants will still have to validate compliance as required with the other card brands.

2) EMV  does not replace data security – The use of EMV cards does not inherently provide protections against the unauthorized access or disclosure of the data itself.  Data thieves would still be able to compromise the data.  However, the utility of the data is significantly lessened as a result of the layering of authentication mechanisms employed by EMV cards.

3) Acquirers/ Processors have to transition by 2013 – As of April 1, 2013 acquirers and processors must be able to support EMV transactions.

4) Liability Shift means Acquirers likely to encourage adoption – Visa has announced plans to implement an liability shift for fraudulent purchases.  Currently, if a counterfiet purchase is made, it is largely left to the issuing bank (the bank that issued the card) to absorb.  Under the new rules, which would take effect on October1, 2015 counterfeit purchases that occur at a merchant location that has not adopted the EMV technology may become the liability of the acquiring bank.

As the deadlines come closer, the card brands will release more detail that will help guide merchants on the path to EMV.  Moving to EMV will be a challenge for an industry as fragmented as the US card processing ecosystem.  Although there will be the inevitable growing pains, though, the technology will serve to benefit all of the stakeholders – from merchant to the consumer.

Dr. Heather Mark, PhD; Sr. Vice President, Market Strategy

I saw a blog post yesterday that reminded me of complexity and confusion surrounding the relationship between PCI DSS compliance and fraud prevention.  The details of the story are less important than the central idea that the author was communicating –  the notion that merchants should rely on PCI DSS compliance for the prevention of fraud.  The idea behind PCI DSS is of course to reduce the amount of fraud by helping to protect payment data from unauthorized disclosure and use, but it should be noted that the standard is not a fraud prevention program.  It is a data security compliance program.  Understanding the difference between fraud prevention and data security will help to clarify the relationship between the PCI DSS and fraud.

Fraud is the intentional deception for personal gain.  This is a broad definition that includes social engineering as well as the misuse of financial data.  Fraud prevention, then, must be a very broad set of practices and procedures that are put in place to prohibit people from being able to misuse (in this case) payment card data.   All of the major card brands have suggestions and best practices for preventing fraud at the merchant level.  MasterCard Worldwide provides a quick reference guide to help merchants educate their staff on fraud prevention techniques.  Among the suggestions is the notion that staff should be familiar with what a card is supposed to look like.  Valid cards have a number of fraud prevention mechanisms, including embossed numbers and holograms.    (Each of the card brands can also provide a sort of “anatomy of a card” that will keep merchants and their employees current with new card designs and security mechanisms.

Data security is a subset of fraud prevention tools.  Ensuring that the data is adequately protected from unauthorized disclosure (data compromise) helps mitigate the risk of fraudulent transactions.  All of the major card brands require compliance with the PCI DSS with any entity that stores, processes, or transmits cardholder data.  This helps to prevent data thieves from perpetrating fraudulent transactions on a large scale.  Merchants should not rely on the PCI DSS to protect them from fraud schemes.  PCI DSS is designed to help companies protect payment data from thieves, not to protect merchants from fraud schemes.

Dr. Heather Mark, PhD. ; SVP, Market Strategy

Last week, I attended the PCI SSC Community Meeting in Scottsdale, AZ.   The meeting is held every year so that stake holders in the payments industry can get together and discuss the PCI DSS and its impacts.  Each year brings with it new guidance documents, and sometimes new standards.  This year was no exception and the standard mix of new standards and new guidance was supplemented by discussion of new technologies (perhaps new is a bit of a stretch, as one of the “new” technologies under discussion was EMV – a technology that has been around for decades).  Mobile payments and Near Field Communications (NFC) were also hot topics of discussion and reminded of one my favorite topics – weighing the adoption of technology and its attendant convenience with the protection of payment data.

I am an advocate of a careful risk analysis – there are occasions in which a new technology does introduce risk, but that risk is outweighed by the potential benefit to customers and to the business overall.  In those instances, the organization may determine that the risk is acceptable and the technology is adopted.  In other instances, an organization may determine that the benefits are far outweighed by the risks and the technology is not implemented.  The point is that careful deliberation is sought.  Unfortunately, the current state of the market (economically difficult coupled with rapid technological change) may lead some companies to adopt a new technology as a “me too” strategy.  The appearance may be that by adopting new technologies companies are showing progress and leadership, which will lead to a competitive advantage.  Many times, though, the rapid adoption of new technology without proper vetting can introduce the “unknown unknown” into the environment.

The idea of the “unknown unknown” can be nicely summed up by saying that “you don’t know what you don’t know.”  In other words, one doesn’t have enough experience or knowledge about a particular subject to speak definitively about what its potential risks might be.  The concept was famously speared after Rumsfeld made his famous “unknown unknown” speech.  While pundits and comedians alike had a good time poking fun at Rumsfeld for his use of the terms “known unknowns” and “unknown unknowns,”  he is referencing something that risk analysts and philosophers alike have discussed for years. The premise of Nassim Taleb’s  The Black Swan is largely concerned with operating in a world in which we don’t know what we don’t know.  You can mitigate the number of unknown unknowns through analysis, evaluation, and research.

One of the ways that companies can mitigate the “unknown unknown” in terms of payment security is to evaluate new technologies against the standards established by the industry.  The standards are established to counter the known risks in the payment environment.  Any time a new technology is considered, a good practice is to consider how that technology would be integrated into the existing infrastructure and evaluate that result against the standards and against data security best practices )which sometimes evolve at a faster rate than the standards do.  Certainly this will not bring to light all possible permutations of risk that might arise from the adoption of a new technology, but it will help address an organization’s compliance status and may help mitigate the risk associated with adopting a new technology.

Dr. Heather Mark, PhD; SVP Market Strategy

These are common eCommerce related security questions we hear from merchants.  Hopefully, this will help some merchants in their pursuit of compliance and security.

If I don’t store credit or debit card data, do I have to comply with the PCI DSS?  Yes.  The PCI DSS applies to any organization that either stores, transmits, or processes payment card data.  Simply not storing data does not relieve your company of their obligation to comply with the standard.

I use anti-virus software.  Can I still get a virus on my computer? Yes.  Anti-virus and other malicious software protection typically uses signatures to detect malicious software such as viruses.  Unfortunately, until a signature is created and your anti-virus is updated, you may still have malicious software on your system that is undetectable. 

Doesn’t a firewall prevent hackers from getting into my systems? No.  Firewalls doe not prevent all traffic from entering and exiting your network they simply restrict access to specific ports and services.  If, for example, your company has a web server, then  your firewall would need to allow port 80 (HTTP) inbound to allow people to access your website.  It has been estimated that almost 99% of exploits are specific to HTTP.

Doesn’t encryption protect my data from being stolen? Maybe.  Encryption prevents unauthorized personnel from being able to read the data.  The weakness in any encrpytion solution is that it relies upon keys to encrypt and decrypt the data.  If the keys are not adequatly protected then they can be compromised and the data can be accessed.  Also, it is is important to remember that it only prevents unauthorized people from accessing the data.  If a data thief can obtain the logon credentials of an authorized user, they can simply use those credentials to access the data.

How do data theives get into my system? Unfortunately, people often invite them in.  “Drive by” infections of malicious software are often the main vectors in which malicious software such as trojans, viruses, back doors, etc. are planted on systems.  In drive by infections a user will access an infected website while surfing the Internet and the website will infect the system.  For this reason, it is important to filter and control Internet access.

Hopefully these simple answer provide some value to those trying to understand some of the threats facing their company.