Entries tagged with “protectpay”.


“The times are tough now, just getting tougher  - This old world is rough, it’s just getting rougher - Cover me, come on baby, cover me” – Bruce Springsteen 1984

Businesses work very hard to build their brand.   Small businesses are no different.  Establishing trust and loyalty among the customer base is essential to the longevity of any business.  Many companies focus on marketing and sales relationships to ensure that connection between customer and company continues to grow.  Social media, direct mailings, radio and tv advertising, print advertising, and data security and privacy policies all contribute to the growth of brand trust.  What a minute!  Did I say data security and privacy policies?  You betcha!  This is what I like to refer to as “brand security.”  Businesses spend an inordinate amount of time and money on establishing a brand that customers trust.  One of the fastest ways to lose that trust is to suffer a data security breach or to violate customer privacy.  For that reason, I often refer to data security and privacy programs as “brand cover.”

I’m going to borrow heavily, and probably poorly, from law enforcement and military actions here.  When you go into action, you generally have a forward team and then you have a team that provides “cover.”  This team keeps an eye out for threats that may not be visible or apparent to the forward team, but pose significant risk.  In the business world, one can think of your sales and marketing efforts as the forward team, while data security and privacy programs provide the cover.  You marketing and sales efforts move the company forward and increase awareness.  Your data security and privacy programs help to mitigate unseen, and sometimes unknown, risks to your brand’s integrity.  In fact, some larger organizations, particularly not-for-profits, are more concerned about brand damage in the event of a security or privacy compromise, than they are the fines that may be associated.

For small businesses, implementing and enforcing data security and privacy policies can seem daunting.  The Better Business Bureau, though, has put together a primer for businesses to help them develop these programs.  If you accept debit and credit card transactions, you can look for services to help minimize how much of that sensitive payment data your business stores.  You can also undertake an inventory to see just what data you are collecting and storing and how you are protecting it.  You can also evaluate the partners that you use and how you share data with them. Understanding your data can ultimately serve as a very effective means of protecting your company, your brand, and your customers.

In discussions with small merchants about the Payment Card Industry Data Security Standard (PCI DSS), it is clear that there is still some confusion surrounding exactly what payment acceptance channels must be in compliance with the standards.  It is not uncommon to hear merchants suggest that PCI DSS only applies to online payments.  That can be a very unfortunate misconception.  All payment acceptance channels must be compliant with the PCI DSS.  Depending on how many transactions you process annually, you may not be required to validate compliance, but being in compliance is always required – for every payment channel and every merchant.

As a small merchant, think about all of the different ways that you might take payments.  You might have a customer that calls you and asks to place an order over the phone.  How do you process that transaction? Do you save the card number in a spreadsheet (please don’t save the number in a spreadsheet)?  Or do you enter the number in a virtual terminal so that you can securely process the payment and save the information for later use?  Do you have a website through which you accept orders?  Do you accept payments in a face-to-face context using a mobile payment device?  Each of the ways that you accept payment must be compliant.

It’s rare to find a merchant that doesn’t require multi-channel support from their merchant service provider.  It’s important to find a service provider that meets all of the needs of your business model.  More importantly, merchants should seek out service providers that can support and maintain compliance for each of those channels.  Merchants should ask probing question about how the transaction is secured, how the data is stored, and how long the company has been providing compliant services.  More importantly, merchants should have a full understanding of where the liability lies in that there is a data compromise.  If you’re storing numbers in a spreadsheet and your laptop gets stolen, that is considered a compromise under PCI DSS and the fines, fees and penalties can flow to you, the merchant.  ( You can read about Visa’s penalties here)  If you’re using a registered, compliant service provider to support your business, and you’re not storing the data yourself, the service provider has the liability for any compromise of that data.

It’s very important to understand the chain of liability when selecting a service provider, and even when selecting specific services from that provider.  For more information about how PCI DSS impacts small merchants, you can check out the Payment Card Industry Security Standards Council (PCI SSC) resources for small businesses.

This may sound like I’m beating an old drum, but I think it’s important that this point be well-discussed and well understood.  When it comes to data protection, merchants (and sometimes even processors and other payment organizations) can become fixated on PCI DSS compliance.  Compliance with the PCI DSS is important – don’t get me wrong.  Protecting cardholder data is very important.  Trust is the oil that slicks the payment rails.  Customers need to be confident that their everyday transaction isn’t going to lead to identity theft or even just card data compromise.  The industry as a whole has made tremendous progress in protecting cardholder data.  But what about the other data in our system?  Are we paying attention to that?  Maybe we are PCI DSS compliant, but are we adequately protecting Social Security Numbers?

This is a discussion that occurs frequently in conferences and workshops, but doesn’t always get communicated to the merchant level. Let’s take a quick look at some of the existing regulations and the types of data that are impacted:

Payment Data/Customer Data PCI DSS
State PCI DSS Laws (NV, WA)
State Data Security Laws (ex: MA)
Health Information HIPAA
HITECH
Financial Information Gramm-Leach Bliley Act
State Data Security Laws
Company Information Sarbannes-Oxley (Public Companies)
Civil actions

Keep in mind that this is by no means an exhaustive list, but it does provide some notion of the types of data, beyond just the cardholder data, that has to be protected.  In addition to these laws, the courts are rapidly setting precedent on implied warranties between customers and merchants. In other words, in taking the data from the customer to facilitate the purchase, the merchant may have an “implied duty” to protect that data and may be held liable to customers in the case of a data breach.  This area is rapidly developing and should be carefully watched.

The point here is that while compliance with PCI DSS is important, both in terms of protecting consumers and in avoiding non-compliance penalties, companies should be aware of all the types of data in their environment.  Knowing what kind of data is being stored will help in taking the appropriate protective actions.

When it comes to PCI DSS there is no secret that there is a lot of confusion.  Surprisingly, one of the most confusing aspects seems to be who is responsible for enforcement of the standard.  Is it the acquiring bank, the PCI SSC, or the card brands?  Do state level governments get involved?  What about federal?  It’s not uncommon to hear merchants ask the question “why are you making me do this?”  Here, hopefully, is an explanation that can help clear up some of the confusion.

The Payment Card Industry Data Security Standard, commonly referred to as PCI DSS, is managed by the Payment Card Industry Security Standards Council (PCI SSC or simply “the council”).  The Council is responsible for working to create and manage the standards, ensure that they are disseminated appropriately and for training and accrediting Qualified Security Asessors, or QSAs.  The Council does not conduct assessments, nor do they enforce the standards.  While they play a critical role in the industry, they do not determine the consequences of non-compliance.

Acquiring banks or merchant banks are often cast in the role of the enforcer, but this is an oversimplification of the complex nature of the industry.  The acquirers, just as merchants, are bound to adhere to all card brand operating regulations.  Part of those rules require the banks to ensure that their merchants are also in compliance with the card brand rules, including the PCI DSS and related standards.  Fines for non-compliance are passed through acquirers to the merchants.  In other words, the card brands impose fines on the acquirer for non-compliant merchants.  The acquirer then passes that fine on to the merchant.

Ultimately, though, it is the card brands that are responsible for the enforcement of the PCI DSS.  Each of the major card brands has their own security programs with different process for dealing with non-compliant entities and with entities that have suffered a breach.  Here are the links to each of the programs

It is important to note, though, that some states have passed laws mandating PCI DSS compliance.  As of January 2010, all companies that collect or transmit payment card data in Nevada have been required to comply with the PCI DSS.  Penalties for non-compliance include civil action, paying restitution and even injunction.  In 2010, the state of  Washington  also passed a law requiring PCI DSS compliance.  Minnesota has codified portions of the PCI DSS in its Plastic Card Security Act.  As of yet, the federal government has not passed a law along these lines, but various regulations and the charter of the FTC mean that, in the event of a breach, the federal government may be involved as well.

The best defense against these regulatory headaches is simply this – to the extent possible don’t store the data.  For those that need to facilitate payments, there are solutions that would allow you to do so while minimizing the amount of data that is stored, processed, or transmitted.  Merchants are well-served to investigate these solutions in order to minimize their liability, and in some cases even to reduce their costs.

“When good people…cease their vigilance and struggle, then evil men prevail.” - Pearl S. Buck

When I was learning to ride a motorcycle my instructor gave me one piece of advice that always stayed with me.  He said “keep your head on a swivel.”  In other words, while I had to make sure that I was doing everything I should be doing, I also had to make sure that I was constantly looking out for what other people may be doing.  That way I could correct my course, or at least take some action to ensure that what the other people were doing wouldn’t put me in danger.  While this is certainly good advice for riding motorcycles, it is also good advice for data security.  It may seem like a stretch, but bear with me.

In securing our customers’ payment data, we have a guideline (actually a set of fairly stringent requirements) in the form of the Payment Card Industry Data Security Standards (PCI DSS).  To learn more about these standards visit this site.  Following these guidelines ensures that we are doing what we “should” in terms of protecting the data.  But that doesn’t mean that others won’t be taking action to put you (and your data) in danger – in the form of data compromise.  That means that you have to stay vigilant for what others might be doing – “keep your head on a swivel” –  to ensure that you are addressing newly identified risks and vulnerabilities that may not be addressed by the guidelines.

Recent trends indicate that small merchants are increasingly becoming targets of data thieves.  In a recent interview, Vantiv Vice President David Mattei stated, “…now we’re seeing an increase in the number of breaches in which smaller numbers of cards are compromised. Small, independent merchants are being targeted because of the ease with which fraudsters can compromise those payment systems.” That means that as small merchants, even if we are PCI DSS compliant, we must remain vigilant against potential attack.  One way to foil the fraudsters in this case is with the use of a P2P Encryption and tokenization solution. In this instance, the data is removed from the merchant system and replaced with “tokens,” or abstract representations of the cardholder data.  While merchants can still use the data to run reports, issue refunds or fight chargebacks, data thieves would find the tokens to be worthless.

The lesson in all of this is that we must remain on guard against new threats, even if we are doing everything “by the book.”  Leveraging secure technologies like tokenization can help ease the burden of compliance and render you and your customers more secure in the long run.