Entries tagged with “PCI”.


A major national insurance company announced this week that its network had been compromised and more than 1 million customer records were stolen. Among the data included in the breach are “people’s names and a combination of Social Security numbers, driver’s license numbers, their date of birth, and possibly marital status, gender, and occupation, as well as the names and addresses of employers.”  A company spokesperson said that there is no evidence that credit card information or medical information was involved in the breach.  Affected individuals are being notified and offered free credit monitoring services.

It is interesting to note that this is the latest compromise in which sensitive personal information was stolen, while credit card data seems not have been involved.  A few months ago, South Carolina had a similar type of incident in which social security and banking information was compromised, while the encrypted cardholder data remained secure.  Now, I don’t have any details or knowledge of these events outside what is printed in the releases or articles, but it does leave me thinking of a very important reminder: PCI DSS only addresses cardholder data, not any other sensitive personal information.  Birth dates, routing numbers, social security numbers and other sensitive are left out in the cold with respect to PCI DSS, though they merit just as much, if not more, protection than cardholder data.

PCI DSS only applies to cardholder data.  It provides a baseline of protection for credit and debit card information.  Nowhere in its requirements does the PCI DSS require companies to protect social security numbers, bank routing information, birthdates or any other sensitive information.  Many companies take great pains to comply with PCI DSS and the standard has done a lot of positive things for an industry that desperately needed to implement strong security.  However, simply being PCI DSS compliant does not mean that all the sensitive data in an organization’s environment is protected.  A serious obstacle to overall security arises when companies believe that compliance with PCI DSS equates to security.

PCI DSS provides a good launching point for security initiatives.  Many of the requirements contained in the standards are best practices (if not requirements) for other types of data, as well.  It is tempting, particularly with so much focus on compliance, to focus on PCI DSS and cardholder data to the exclusion of everything else.  It’s important to remember, though, that companies have many types of data in their networks.  Companies would be well-served to conduct a data inventory, find out what they really need and what they don’t need to keep.  If it is needed, then it should be adequately protected. If it is not needed, it shouldn’t be stored.  Excess data is excess liability.

When we talk about the protection of data, particularly sensitive personal information like credit card or social security numbers, we often focus on “digital data.”  By digital data, I mean that data that is stored in our networks and computers, our POS systems and other “networked” appliances.  It’s easy to lose sight of the fact that copiers, printers, and fax machines are often “networked appliances,” complete with memory.  That means that it is conceivable that when you send a fax or make a copy, that appliance could retain that data in its memory.  As a result, that appliance now represents a point of vulnerability for the network.

The ability of these devices to store data should also be a consideration with looking to lease or buy previously used equipment, particularly when buying or leasing used POS equipment.  You may be introducing someone else’s liability into your secure environment.  This is where having proper policies and procedures becomes vitally important.  Merchants should have a process for evaluating security options on the device or equipment (does it allow for overwriting or encrypting the data in memory?); security procedures should also be in place to ensure that the device memory is regularly overwritten to avoid data leakage.

The PCI DSS specifically requires that companies “Protect Stored Cardholder Data Wherever it is Stored.”  Unfortunately, as our businesses grow, that often means that our cardholder data environment grows along with it.  Information security policies and processes become more and more important.  It can also be helpful to find strategies for limiting the size of the cardholder data environment.

Recent reports indicate that small businesses tend to overlook the threat of a data security breach.  Controlscan, a company that specializes in assisting small and medium sized businesses with PCI compliance issues, recently completed a study in cooperation with Merchant Warehouse.  The findings indicate that close to 80% of the surveyed merchants felt that they had little to no risk of a breach.  What’s more, according to ControlScan’s CEO Joan Herbig, close to half of the merchants surveyed hadn’t even heard of the PCI DSS.  These findings indicate a serious lack of communication between ISOs and Acquirers and their small merchants.

Since 2006, all organizations that store, process, or transmit cardholder data have been required to comply with the data security requirements contained within the Payment Card Industry Data Security Standard.  In fact, the Payment Card Industry Security Standards Council has even created a microsite dedicated to educating small merchants on the PCI DSS and their obligations under that standard.  The ramifications of non-compliance are many and can be overwhelming even for large merchants.  Should a breach occur, the fines, fees, and penalties can quickly add up and in many cases have put companies out of business.

This post could easily take on an alarmist tone.  Some might say that it already has.  Regardless, though, small merchants must comply with the same set of standards to which large companies are beholden.  How can one do that with comparatively limited resources?  By trying to limit the places in the merchant system that store, process, and transmit cardholder data.  Using a solution that processes payment card transactions using point to point encryption (P2PE) and tokenization can serve two objectives – making the data more secure, and reducing the burden of complying with the PCI DSS.

If you are a small merchant and you haven’t heard about PCI DSS or aren’t sure what you should do, reach out to your ISO or Acquirer.  They can explain what the standard requires and how you can achieve compliance.

In Customer Service, we understand that rules and regulations can be a hindrance when it comes to taking care of our valued customers. Please know, by no means does ProPay wish to make things more difficult and not be of assistance when contacting ProPay’s Customer Service Department. However, we must follow the industry’s rules and regulations so we may continue serving you.

PCI DSS compliance is the most important set of rules and regulations in the industry. A brief overview of PCI DSS compliance as outlined by Chris Mark, ProPay’s EVP of Data Security & Compliance, states, “PCI DSS is industry standard. The Card Brands (Visa, MC, AMEX, JCB, Discover) all accept the PCI DSS as the standard for their respective security programs” (Mark, Chris, Compliance with PCI DSS…know the rules; http://blog.propay.com/index.php/page/3/). So how does this affect Customer Service’s ability to assist you? It means as much as we want to be able to do everything we can to help, such as log in to your account to view what you  see, provide “sensitive” information to help you with your account, charge credit cards for you, etc, we simply are not able to do so given the regulation from the PCI DSS. What we can do is reset your password and help you gain access to your account. We can help find where to retrieve answers to your questions that ProPay is not able to provide you over phone conversations. We can walk you through the process in charging a credit card. We can answer your questions and help you in every way possible.

Being PCI DSS compliant means ProPay will continue serving you. Your business keeps ProPay in business, so we can continue being your credit card processor of choice. ProPay must follow rules and regulations as outlined by the industry, but we will do everything we can within those rules and regulations to assist you. We are here for our merchants and will be here for you for years to come. If you are not with ProPay, I encourage you to check out ProPay and compare us to other competitors. Please visit www.propay.com for more information.

Gary Fewkes

ProPay Customer Service Manager

I was doing some research today and was struck again at how often Privacy is “back-burnered” in the data security discussion.  There is a feeling among some that as long as industry best practice security protections are in place,  privacy will take care of itself.  To my mind, it’s often the other way around – Security is a means to an end. The “end” in this case is privacy.  Security is the protection of information, while privacy is the appropriate use of information.  It is entirely possible for a company to have very good security practices, and have an abysmal data privacy program.   For instance, a company can ensure that its environment is PCI DSS compliant, undergo SAS 70 assessments and SOX audits, but use consumer data for marketing purposes without gaining consent of the consumer.  In this example, while the data is appropriately protected, it is used for a purpose that the consumer did not approve.  Despite all the efforts and resources spent on data security, the data is still being used inappropriately and it is the company itself that is perpetuating that misuse. 

It is important to keep the objective in mind when creating a comprehensive data protection program.  Data Protection should encompass both security of the information and privacy of the information.  There are a number of resources available to help design and implement data protection programs.  The Federal Trade Commission offers its Fair Information Practices.   The AICPA has provided the Generally Accepted Privacy Principles to help companies create programs that incorporate international privacy standards.    For small businesses, the Better Business Bureau also offers some basic tenets on the protection of consumer privacy.   

Privacy is vitally important in today’s regulatory and business environment.  Assuming that it is “covered” by data security programs can be a very dangerous assumption for any business, large or small.  Understanding how security can be leveraged to protect privacy is a crucial step in creating a comprehensive data protection program. 

Heather Mark, PhD- SVP; Market Strategy