Entries tagged with “regulatory compliance”.
Did you find what you wanted?
Sep 20 2012
In discussions with small merchants about the Payment Card Industry Data Security Standard (PCI DSS), it is clear that there is still some confusion surrounding exactly what payment acceptance channels must be in compliance with the standards. It is not uncommon to hear merchants suggest that PCI DSS only applies to online payments. That can be a very unfortunate misconception. All payment acceptance channels must be compliant with the PCI DSS. Depending on how many transactions you process annually, you may not be required to validate compliance, but being in compliance is always required – for every payment channel and every merchant.
As a small merchant, think about all of the different ways that you might take payments. You might have a customer that calls you and asks to place an order over the phone. How do you process that transaction? Do you save the card number in a spreadsheet (please don’t save the number in a spreadsheet)? Or do you enter the number in a virtual terminal so that you can securely process the payment and save the information for later use? Do you have a website through which you accept orders? Do you accept payments in a face-to-face context using a mobile payment device? Each of the ways that you accept payment must be compliant.
It’s rare to find a merchant that doesn’t require multi-channel support from their merchant service provider. It’s important to find a service provider that meets all of the needs of your business model. More importantly, merchants should seek out service providers that can support and maintain compliance for each of those channels. Merchants should ask probing question about how the transaction is secured, how the data is stored, and how long the company has been providing compliant services. More importantly, merchants should have a full understanding of where the liability lies in that there is a data compromise. If you’re storing numbers in a spreadsheet and your laptop gets stolen, that is considered a compromise under PCI DSS and the fines, fees and penalties can flow to you, the merchant. ( You can read about Visa’s penalties here) If you’re using a registered, compliant service provider to support your business, and you’re not storing the data yourself, the service provider has the liability for any compromise of that data.
It’s very important to understand the chain of liability when selecting a service provider, and even when selecting specific services from that provider. For more information about how PCI DSS impacts small merchants, you can check out the Payment Card Industry Security Standards Council (PCI SSC) resources for small businesses.
Sep 18 2012
This may sound like I’m beating an old drum, but I think it’s important that this point be well-discussed and well understood. When it comes to data protection, merchants (and sometimes even processors and other payment organizations) can become fixated on PCI DSS compliance. Compliance with the PCI DSS is important – don’t get me wrong. Protecting cardholder data is very important. Trust is the oil that slicks the payment rails. Customers need to be confident that their everyday transaction isn’t going to lead to identity theft or even just card data compromise. The industry as a whole has made tremendous progress in protecting cardholder data. But what about the other data in our system? Are we paying attention to that? Maybe we are PCI DSS compliant, but are we adequately protecting Social Security Numbers?
This is a discussion that occurs frequently in conferences and workshops, but doesn’t always get communicated to the merchant level. Let’s take a quick look at some of the existing regulations and the types of data that are impacted:
|Payment Data/Customer Data
||State PCI DSS Laws (NV, WA)
||State Data Security Laws (ex: MA)
||Gramm-Leach Bliley Act
||State Data Security Laws
||Sarbannes-Oxley (Public Companies)
Keep in mind that this is by no means an exhaustive list, but it does provide some notion of the types of data, beyond just the cardholder data, that has to be protected. In addition to these laws, the courts are rapidly setting precedent on implied warranties between customers and merchants. In other words, in taking the data from the customer to facilitate the purchase, the merchant may have an “implied duty” to protect that data and may be held liable to customers in the case of a data breach. This area is rapidly developing and should be carefully watched.
The point here is that while compliance with PCI DSS is important, both in terms of protecting consumers and in avoiding non-compliance penalties, companies should be aware of all the types of data in their environment. Knowing what kind of data is being stored will help in taking the appropriate protective actions.
Aug 16 2012
When it comes to PCI DSS there is no secret that there is a lot of confusion. Surprisingly, one of the most confusing aspects seems to be who is responsible for enforcement of the standard. Is it the acquiring bank, the PCI SSC, or the card brands? Do state level governments get involved? What about federal? It’s not uncommon to hear merchants ask the question “why are you making me do this?” Here, hopefully, is an explanation that can help clear up some of the confusion.
The Payment Card Industry Data Security Standard, commonly referred to as PCI DSS, is managed by the Payment Card Industry Security Standards Council (PCI SSC or simply “the council”). The Council is responsible for working to create and manage the standards, ensure that they are disseminated appropriately and for training and accrediting Qualified Security Asessors, or QSAs. The Council does not conduct assessments, nor do they enforce the standards. While they play a critical role in the industry, they do not determine the consequences of non-compliance.
Acquiring banks or merchant banks are often cast in the role of the enforcer, but this is an oversimplification of the complex nature of the industry. The acquirers, just as merchants, are bound to adhere to all card brand operating regulations. Part of those rules require the banks to ensure that their merchants are also in compliance with the card brand rules, including the PCI DSS and related standards. Fines for non-compliance are passed through acquirers to the merchants. In other words, the card brands impose fines on the acquirer for non-compliant merchants. The acquirer then passes that fine on to the merchant.
Ultimately, though, it is the card brands that are responsible for the enforcement of the PCI DSS. Each of the major card brands has their own security programs with different process for dealing with non-compliant entities and with entities that have suffered a breach. Here are the links to each of the programs
It is important to note, though, that some states have passed laws mandating PCI DSS compliance. As of January 2010, all companies that collect or transmit payment card data in Nevada have been required to comply with the PCI DSS. Penalties for non-compliance include civil action, paying restitution and even injunction. In 2010, the state of Washington also passed a law requiring PCI DSS compliance. Minnesota has codified portions of the PCI DSS in its Plastic Card Security Act. As of yet, the federal government has not passed a law along these lines, but various regulations and the charter of the FTC mean that, in the event of a breach, the federal government may be involved as well.
The best defense against these regulatory headaches is simply this – to the extent possible don’t store the data. For those that need to facilitate payments, there are solutions that would allow you to do so while minimizing the amount of data that is stored, processed, or transmitted. Merchants are well-served to investigate these solutions in order to minimize their liability, and in some cases even to reduce their costs.
Aug 2 2012
“When good people…cease their vigilance and struggle, then evil men prevail.” - Pearl S. Buck
When I was learning to ride a motorcycle my instructor gave me one piece of advice that always stayed with me. He said “keep your head on a swivel.” In other words, while I had to make sure that I was doing everything I should be doing, I also had to make sure that I was constantly looking out for what other people may be doing. That way I could correct my course, or at least take some action to ensure that what the other people were doing wouldn’t put me in danger. While this is certainly good advice for riding motorcycles, it is also good advice for data security. It may seem like a stretch, but bear with me.
In securing our customers’ payment data, we have a guideline (actually a set of fairly stringent requirements) in the form of the Payment Card Industry Data Security Standards (PCI DSS). To learn more about these standards visit this site. Following these guidelines ensures that we are doing what we “should” in terms of protecting the data. But that doesn’t mean that others won’t be taking action to put you (and your data) in danger – in the form of data compromise. That means that you have to stay vigilant for what others might be doing – “keep your head on a swivel” – to ensure that you are addressing newly identified risks and vulnerabilities that may not be addressed by the guidelines.
Recent trends indicate that small merchants are increasingly becoming targets of data thieves. In a recent interview, Vantiv Vice President David Mattei stated, “…now we’re seeing an increase in the number of breaches in which smaller numbers of cards are compromised. Small, independent merchants are being targeted because of the ease with which fraudsters can compromise those payment systems.” That means that as small merchants, even if we are PCI DSS compliant, we must remain vigilant against potential attack. One way to foil the fraudsters in this case is with the use of a P2P Encryption and tokenization solution. In this instance, the data is removed from the merchant system and replaced with “tokens,” or abstract representations of the cardholder data. While merchants can still use the data to run reports, issue refunds or fight chargebacks, data thieves would find the tokens to be worthless.
The lesson in all of this is that we must remain on guard against new threats, even if we are doing everything “by the book.” Leveraging secure technologies like tokenization can help ease the burden of compliance and render you and your customers more secure in the long run.
Jul 9 2012
Recently, a large payment processor suffered a compromise. News reports put the breach at about 1.5 million cards. Naturally, concern was raised as the cardholders and issuers braced themselves to address account cancellations, card re-issuing and other attendant activities that often result from a payment card compromise. Conversation surrounding the breach centered largely on whether or not the processor was compliant with the PCI DSS. As the investigation continues, though, news of different data types being involved in the compromise is starting to surface. Compromised data now reportedly includes social security numbers, drivers’ licenses, and banking information.
What does this teach us about the potential pitfalls of focusing solely on the protection of payment data to the exclusion of everything else? (I’m not saying this was the case in the breach discussed above, but it is a common pitfall of small merchants). As you think about your business, consider the types of information that you store. Employee information, customer data, company financial data. The exposure of this data can have devastating consequences, particularly on a small business. For example, small business bank accounts don’t always have the same level of protection as consumer accounts – if your passwords are compromised and your bank account cleaned out, you may end up with no recourse. Many states are moving towards mandating the protection of individuals’ non-public information, with serious penalties for non-compliance.
The point here is that it is not enough to achieve compliance with one set of mandates. Companies, even very small companies, often have a vast array of data that deserves protection. While complying with the PCI DSS is a positive step towards the protection of your consumers, its sole focus is the protection of cardholder data. Businesses are well-advised to examine how they are protecting any sensitive data to ensure that both the business and its employees and customers are protected.