For small merchants, and really for any merchant, PCI DSS compliance can offer any number of difficulties.  For small merchants, though, lack of resources and information about the Standard can have a crippling effect on compliance.  Fortunately, there are now services like ProtectPay that can help small merchants comply with large portions of the PCI DSS with minimal resource investment.  For very small merchants, encryption and tokenization efforts can ensure that cardholder data doesn’t traverse your computer, your equipment, or your network.  (This works well for larger merchants, as well, though more integration may be necessary to ensure coverage for all payment acceptance channels.)  However, the PCI DSS does not apply only to digital data or to the transaction itself.  It applies to “hardcopy” data and to stored data, as well.  How can small merchants help maintain PCI DSS compliance for these types of data?  Here are a few tips.

1) Do not store cardholder data in spreadsheets or other computer files.

It may be tempting to store your customers’ payment information so that you can easily process a payment the next time a purchase is made.  Unfortunately, storing the data on your computer leaves you and your customers vulnerable.  If your computer is compromised, a thief could easily access that information.  Additionally, having cardholder data on your computer, particularly in an unencrypted format, is a violation of PCI DSS.  If you are storing data like that, merely losing your laptop could result in a finding of a data breach, with the attendant fines, fees, and penalties.  Many services, including ProtectPay, allow merchants to securely store customer data, without having to worry about PCI DSS compliance or data security.

2) Do not write down cardholder data, if you can avoid it.

It seems so easy.  Just write the data down and process the transaction when you get home.  However, even written cardholder data can bring companies “in scope.”  That data must be protected, just as electronic data must be.

3) Make sure that sensitive data has a secure storage location.

If you must write down data, you should make sure that you have a safe place to store it.  Leaving sensitive information on desk or otherwise out in the open can leave it vulnerable to misuse.  Large companies often have “clean desk” policies, which require that employees clear their desks of sensitive papers and ensure filing cabinets and desk drawers are locked at the end of the day.  This helps to protect company data as well as customer data.  Small merchants can also adopt this policy to help protect themselves and their customers.

4) Ensure that any data that is written down is properly disposed of when it is no longer needed.

It is a fact of business that you may be unable to completely forgo writing down card numbers.  Whatever the reason, you must ensure that once the data is no longer needed, it is destroyed or rendered unrecoverable by thieves.  “Dumpter diving,” in which a thief goes through trash trying to find personal and financial information, is a popular technique among identity thieves.  Papers that contain personal information, including credit or debit card numbers, driver’s license numbers, social security numbers and other sensitive information, should be shredded before it is placed in the bin.  Crosscut shredders are preferable, as this type of shredding makes recreating the document more difficult.

Certainly there are other practices that can also help protect small businesses, but these four steps can help significantly reduce the risk of a “hardcopy” data compromise.

Dr. Heather Mark, PhD; SVP Market Strategy

Over the past year, the payments industry has been abuzz with news of Visa’s plan to encourage adoption of EMV technology.  While many in the payments industry have a clear understanding of what EMV is and how it might impact our business, for small merchants the term just adds on to the growing list of acronyms with which they must now be familiar.  PCI DSS, PA DSS, QSA, SAQ, and now EMV.   But what is EMV and what do small merchants need to know about it?

EMV itself is a standard begun by Europay, MasterCard International and Visa International. (Its current members are American Express, MasterCard, Visa, and JCB.)  The three companies joined together to form EMVco, whose purpose is “to manage, maintain and enhance the EMV™ Integrated Circuit Card Specifications for Payment Systems.”  In other words, the company was formed to promote the use of “smart cards.”  A “smart card” is essentially a payment card with an embedded micro-processor, or chip.  Because the chip can hold much more information than a magnetic stripe can, EMV enabled cards support multiple methods of authentication.  This ostensibly makes the process more secure for both the merchant and the consumer.   Since the chip can support dynamic and static authentication as well as online and offline authentication, the theory is that using EMV means that the risk of compromised card data being used fraudulently is significantly lower than with magnetic stripe data.  In other words, even if the data is compromised, it is less likely that it can be used to perpetrate fraudulent transactions.  As a result of its capabilities with respect to fraud prevention, Visa is strongly encouraging the US payments industry to move towards EMV.  So, what does this transition mean for merchants?

1) The requirement to comply with PCI DSS will remain - Visa’s program states that if a merchant can verify that at least 75% of its transactions are EMV, then the requirement to validate compliance with the PCI DSS can be waived.  It should be noted, though, that it is only the requirement to validate compliance that is being waived, not the obligation to comply itself.  Another important caveat to this validation waiver is that only Visa has so far extended this offer.  Merchants will still have to validate compliance as required with the other card brands.

2) EMV  does not replace data security – The use of EMV cards does not inherently provide protections against the unauthorized access or disclosure of the data itself.  Data thieves would still be able to compromise the data.  However, the utility of the data is significantly lessened as a result of the layering of authentication mechanisms employed by EMV cards.

3) Acquirers/ Processors have to transition by 2013 – As of April 1, 2013 acquirers and processors must be able to support EMV transactions.

4) Liability Shift means Acquirers likely to encourage adoption – Visa has announced plans to implement an liability shift for fraudulent purchases.  Currently, if a counterfiet purchase is made, it is largely left to the issuing bank (the bank that issued the card) to absorb.  Under the new rules, which would take effect on October1, 2015 counterfeit purchases that occur at a merchant location that has not adopted the EMV technology may become the liability of the acquiring bank.

As the deadlines come closer, the card brands will release more detail that will help guide merchants on the path to EMV.  Moving to EMV will be a challenge for an industry as fragmented as the US card processing ecosystem.  Although there will be the inevitable growing pains, though, the technology will serve to benefit all of the stakeholders – from merchant to the consumer.

Dr. Heather Mark, PhD; Sr. Vice President, Market Strategy

I saw a blog post yesterday that reminded me of complexity and confusion surrounding the relationship between PCI DSS compliance and fraud prevention.  The details of the story are less important than the central idea that the author was communicating –  the notion that merchants should rely on PCI DSS compliance for the prevention of fraud.  The idea behind PCI DSS is of course to reduce the amount of fraud by helping to protect payment data from unauthorized disclosure and use, but it should be noted that the standard is not a fraud prevention program.  It is a data security compliance program.  Understanding the difference between fraud prevention and data security will help to clarify the relationship between the PCI DSS and fraud.

Fraud is the intentional deception for personal gain.  This is a broad definition that includes social engineering as well as the misuse of financial data.  Fraud prevention, then, must be a very broad set of practices and procedures that are put in place to prohibit people from being able to misuse (in this case) payment card data.   All of the major card brands have suggestions and best practices for preventing fraud at the merchant level.  MasterCard Worldwide provides a quick reference guide to help merchants educate their staff on fraud prevention techniques.  Among the suggestions is the notion that staff should be familiar with what a card is supposed to look like.  Valid cards have a number of fraud prevention mechanisms, including embossed numbers and holograms.    (Each of the card brands can also provide a sort of “anatomy of a card” that will keep merchants and their employees current with new card designs and security mechanisms.

Data security is a subset of fraud prevention tools.  Ensuring that the data is adequately protected from unauthorized disclosure (data compromise) helps mitigate the risk of fraudulent transactions.  All of the major card brands require compliance with the PCI DSS with any entity that stores, processes, or transmits cardholder data.  This helps to prevent data thieves from perpetrating fraudulent transactions on a large scale.  Merchants should not rely on the PCI DSS to protect them from fraud schemes.  PCI DSS is designed to help companies protect payment data from thieves, not to protect merchants from fraud schemes.

Dr. Heather Mark, PhD. ; SVP, Market Strategy

It’s that time of year again.  International Fraud Awareness Week, sponsored by the Association of Certified Fraud Examiners (ACFE).  The intent is to raise awareness of fraud in general, as well as trends and emerging schemes.  Payment card fraud alone is estimated to cost the United States $8.6 billion per year.  And that is a 2010 number.  Estimates for 2011 are likely to grow.  Fraud is an interesting animal.  It’s said that the only crime that costs the US economy more money is tax evasion.  While that’s probably open for debate, what is still surprising is the low level of awareness that many small business owners have regarding fraud and fraudulent schemes.  The objective of International Fraud Awareness Week is to educate all organziations, whether small entrepreneurial endeavors to large enterprises, about fraud and how it can be prevented.

Some fraud prevention resources can be found here, including somethings that many organizations may not have considered, such as a fraud policy.  The ACFE publishes an annual Report to the Nations on fraud.  In 2010, some of the highlights (or lowlights depending on your perspective) included the following:

• “Survey participants estimated that the typical organization loses 5% of its annual revenue to fraud.”  To put that into a global perspective, the ACFE estimates that to cost the world economy almost $2.9 trillion annually.

We’ve written on here quite a bit about the dangers of social engineering, in which thieves talk people into giving up credentials to online accounts and resources.  No hacking necessary – the thieves can, figuratively, walk right in the front door.  IT professionals are fond of saying that “people are the weak link in data security.”  So imagine the surprise when Sabina Datcu, a researcher from Bitdefender presented the findings of her study in which 75% of her sample pool (all IT professionals and hackers) gave up their passwords and credentials to the wiles of a woman.

According to Datcu, the anonymity of the online environment provides a false sense of security, even to those who make their living on it. “No matter what ’side of the fence’ they are on, people will behave the same: as though the virtual environment creates a second life, entirely different from the real one — they are willing not only to accept unknown persons inside their group just based on a nice profile, but also to reveal sensitive information (about their company, themselves and other persons) after a short online conversation.”  Dactu created fake online profiles and inserted herself in online forums frequented by hackers.  In addition, she placed her profile on forums for IT professionals.  In both instances, she found there was little effort involved in convincing these individuals to turn over sensitive information.   So, if the hackers and security professionals can be duped, what can we do to protect ourselves?

The first and most important thing is to remain a little suspicious.  For most of us, if someone walked up to us on the street and asked us for our SSN and our online banking credentials, we’d be a tad skeptical ( I hope more than a tad skeptical).  Why should that change because the question is being asked online rather than face to face?  My suspicion is that many of the targets of this study felt that they “knew better,” and that they wouldn’t get taken because they recognized the signs of a scam.  They were overconfident in their experience and that may have been their downfall.

Consider skydiving as an example.  According “Skydiving Risk” there were an average of 33 skydiving fatalities in the US for each year between 1991-2000.  Most of these accidents involve experienced skydivers.  Why would that be?  In some instances, it may be an issue of complacency.  The jumper has so many jumps under his or her belt that preparation is taken for granted.  Or, as is identified in the article, the jumper may be “exceeding their own limits.”  In other words, they’ve become overconfident in their abilities and perform stunts that are beyond their capabilities.  The same might be said of the IT professionals in this study – they became complacent and overconfident in their abilities.

As for how we address social engineering, I suggest we take a page from the novice skydiver.  Now, I’m not about to go hurling myself from a perfectly good plane anytime soon, but you can bet that if I did, I would be checking, double-checking, researching and practicing to make sure that I was doing everything right.  I would ask questions of the instructor and not be embarrassed about it.   It’s my life on the line, after all.

The same philosophy holds true with social networking.  If someone asks you for information strike you as even a little odd, ask questions.  Probe their intentions.  Research the scam (there is almost always a Wikipedia entry on a similar scam).Maintain your vigilance.  Don’t let down your guard because you think you know this person.  Don’t be embarrassed about doing your homework.  It’s your identity on the line, after all.

Dr. Heather Mark, PhD; SVP Market Strategy