For small merchants, and really for any merchant, PCI DSS compliance can offer any number of difficulties.  For small merchants, though, lack of resources and information about the Standard can have a crippling effect on compliance.  Fortunately, there are now services like ProtectPay that can help small merchants comply with large portions of the PCI DSS with minimal resource investment.  For very small merchants, encryption and tokenization efforts can ensure that cardholder data doesn’t traverse your computer, your equipment, or your network.  (This works well for larger merchants, as well, though more integration may be necessary to ensure coverage for all payment acceptance channels.)  However, the PCI DSS does not apply only to digital data or to the transaction itself.  It applies to “hardcopy” data and to stored data, as well.  How can small merchants help maintain PCI DSS compliance for these types of data?  Here are a few tips.

1) Do not store cardholder data in spreadsheets or other computer files.

It may be tempting to store your customers’ payment information so that you can easily process a payment the next time a purchase is made.  Unfortunately, storing the data on your computer leaves you and your customers vulnerable.  If your computer is compromised, a thief could easily access that information.  Additionally, having cardholder data on your computer, particularly in an unencrypted format, is a violation of PCI DSS.  If you are storing data like that, merely losing your laptop could result in a finding of a data breach, with the attendant fines, fees, and penalties.  Many services, including ProtectPay, allow merchants to securely store customer data, without having to worry about PCI DSS compliance or data security.

2) Do not write down cardholder data, if you can avoid it.

It seems so easy.  Just write the data down and process the transaction when you get home.  However, even written cardholder data can bring companies “in scope.”  That data must be protected, just as electronic data must be.

3) Make sure that sensitive data has a secure storage location.

If you must write down data, you should make sure that you have a safe place to store it.  Leaving sensitive information on desk or otherwise out in the open can leave it vulnerable to misuse.  Large companies often have “clean desk” policies, which require that employees clear their desks of sensitive papers and ensure filing cabinets and desk drawers are locked at the end of the day.  This helps to protect company data as well as customer data.  Small merchants can also adopt this policy to help protect themselves and their customers.

4) Ensure that any data that is written down is properly disposed of when it is no longer needed.

It is a fact of business that you may be unable to completely forgo writing down card numbers.  Whatever the reason, you must ensure that once the data is no longer needed, it is destroyed or rendered unrecoverable by thieves.  “Dumpter diving,” in which a thief goes through trash trying to find personal and financial information, is a popular technique among identity thieves.  Papers that contain personal information, including credit or debit card numbers, driver’s license numbers, social security numbers and other sensitive information, should be shredded before it is placed in the bin.  Crosscut shredders are preferable, as this type of shredding makes recreating the document more difficult.

Certainly there are other practices that can also help protect small businesses, but these four steps can help significantly reduce the risk of a “hardcopy” data compromise.

Dr. Heather Mark, PhD; SVP Market Strategy

We spend a lot of time talking about what to do to prevent a breach of networks or computer systems.  This discussion has been, and continues to be, very valuable.  It is discussions like this that have allowed the payments industry to develop solutions like ProtectPay, ProPay’s secure payment solution.  ProtectPay, for instance, allows merchants to accept payment card transactions without storing, processing, or transmitting payment card data.  The benefit of such a system is tremendous.  Not only does it allow companies to significantly reduce the costs and resources necessary to achieve PCI DSS compliance, but it also reduces the risk associated with a breach.  If a merchant using a properly configured tokenization solution is breached, there is no data there to be stolen.  The merchant has only value-less tokens, not valuable cardholder data.  Unfortunately, tokenization isn’t yet universally employed.  That means that there are quite a few merchants operating today that still have cardholder data in their systems.  And while the conversation about preventing a data compromise is important, an important question still remains: What happens after the breach?

Experian and the Ponemon Institute teamed to answer that question.  The results can be found in “The Aftermath of a Data Breach.” (Registration is required to download the study.)  Of the companies studied, 45% indicated that the company lost bank or credit card information, and 60% of respondents indicated that the data that was stolen was unencrypted.  Additionally, the study found that 34% of breaches studies were the result of a “negligent insider.” This seems to support the notion of using a tokenization solution.    It should be noted that 19% of responding companies suggested that “outsourcing data” was the cause of their breach.  Most tokenization solutions do require the outsourcing of data, so how can these two findings be reconciled?  There are two important concepts that readers should keep in mind.  The first are the statistics and the second is due diligence.

The statistics are interesting.  The findings tell us that 60% of respondents lost unencrypted data.  That likely means that at least some of the outsourced providers that were cited as a cause of the breach were not securely storing the data.  Another interesting finding is that a full 50% of breaches were caused by insiders (negligent insiders 34% and malicious insiders 16%).  The other concept that one should keep in mind when reading the study is the concept of due diligence.  Outsourcing data is a big decision for any company.  It is advisable to do a significant amount of research into the potential vendor.  For example in the payments industry, companies that store, process or transmit cardholder data on behalf of a merchant is called a service provider or a data storage entity.  Regardless of the terminology, the company must be compliant with the PCI DSS and be registered with the card brands.  Ensuring that potential partners meet these requirements can substantially mitigate potential risk on behalf of the merchant.

The study is a very interesting read and has important lessons for those companies that store sensitive data.  Perhaps the most important lesson is this: If you don’t need the data, don’t store it!

Dr. Heather Mark, PhD; Sr. Vice President Market Strategy

Over the past year, the payments industry has been abuzz with news of Visa’s plan to encourage adoption of EMV technology.  While many in the payments industry have a clear understanding of what EMV is and how it might impact our business, for small merchants the term just adds on to the growing list of acronyms with which they must now be familiar.  PCI DSS, PA DSS, QSA, SAQ, and now EMV.   But what is EMV and what do small merchants need to know about it?

EMV itself is a standard begun by Europay, MasterCard International and Visa International. (Its current members are American Express, MasterCard, Visa, and JCB.)  The three companies joined together to form EMVco, whose purpose is “to manage, maintain and enhance the EMV™ Integrated Circuit Card Specifications for Payment Systems.”  In other words, the company was formed to promote the use of “smart cards.”  A “smart card” is essentially a payment card with an embedded micro-processor, or chip.  Because the chip can hold much more information than a magnetic stripe can, EMV enabled cards support multiple methods of authentication.  This ostensibly makes the process more secure for both the merchant and the consumer.   Since the chip can support dynamic and static authentication as well as online and offline authentication, the theory is that using EMV means that the risk of compromised card data being used fraudulently is significantly lower than with magnetic stripe data.  In other words, even if the data is compromised, it is less likely that it can be used to perpetrate fraudulent transactions.  As a result of its capabilities with respect to fraud prevention, Visa is strongly encouraging the US payments industry to move towards EMV.  So, what does this transition mean for merchants?

1) The requirement to comply with PCI DSS will remain - Visa’s program states that if a merchant can verify that at least 75% of its transactions are EMV, then the requirement to validate compliance with the PCI DSS can be waived.  It should be noted, though, that it is only the requirement to validate compliance that is being waived, not the obligation to comply itself.  Another important caveat to this validation waiver is that only Visa has so far extended this offer.  Merchants will still have to validate compliance as required with the other card brands.

2) EMV  does not replace data security – The use of EMV cards does not inherently provide protections against the unauthorized access or disclosure of the data itself.  Data thieves would still be able to compromise the data.  However, the utility of the data is significantly lessened as a result of the layering of authentication mechanisms employed by EMV cards.

3) Acquirers/ Processors have to transition by 2013 – As of April 1, 2013 acquirers and processors must be able to support EMV transactions.

4) Liability Shift means Acquirers likely to encourage adoption – Visa has announced plans to implement an liability shift for fraudulent purchases.  Currently, if a counterfiet purchase is made, it is largely left to the issuing bank (the bank that issued the card) to absorb.  Under the new rules, which would take effect on October1, 2015 counterfeit purchases that occur at a merchant location that has not adopted the EMV technology may become the liability of the acquiring bank.

As the deadlines come closer, the card brands will release more detail that will help guide merchants on the path to EMV.  Moving to EMV will be a challenge for an industry as fragmented as the US card processing ecosystem.  Although there will be the inevitable growing pains, though, the technology will serve to benefit all of the stakeholders – from merchant to the consumer.

Dr. Heather Mark, PhD; Sr. Vice President, Market Strategy

We often think that our personal computers or laptops are not targets of hackers.  “There is little data of value to a thief,” we might rationalize.  “They are going to be better served going after a big target – like a bank or other financial institution.”  This assumes that the only reason a computer would be hacked is for the value contained on that computer.  On the contrary, sometimes hackers or data thieves seek out computers that they can use as a launching pad for other attacks.  Of course, as long as the criminal has accessed your computer, they are likely to make use of whatever personal data may reside there, as well.  That means that creating a complex password for all of your computers – not just those that are used for business – is important.

SplashData, a company that provides mobile productivity applications, recently released a study of some of the worst passwords to use.   These passwords are the ones that are most frequently cracked.  Not surprisingly, the most frequently compromised password, is “password.”    The top 5 on the list from SplashData  is:

1. password

2. 123456

3. 12345678

4. qwerty

5. abc123

The complete list can be found here.

On this blog, we frequently discuss the importance of complex passwords – including alphanumeric characters, upper case and lower case, punctuation, and other symbols.   We also suggest that the password be changed at least every 90 days.  This will help to prevent hackers from making an easy target of your computer.

Dr. Heather Mark, PhD; SVP Market Strategy

Last week, I attended the PCI SSC Community Meeting in Scottsdale, AZ.   The meeting is held every year so that stake holders in the payments industry can get together and discuss the PCI DSS and its impacts.  Each year brings with it new guidance documents, and sometimes new standards.  This year was no exception and the standard mix of new standards and new guidance was supplemented by discussion of new technologies (perhaps new is a bit of a stretch, as one of the “new” technologies under discussion was EMV – a technology that has been around for decades).  Mobile payments and Near Field Communications (NFC) were also hot topics of discussion and reminded of one my favorite topics – weighing the adoption of technology and its attendant convenience with the protection of payment data.

I am an advocate of a careful risk analysis – there are occasions in which a new technology does introduce risk, but that risk is outweighed by the potential benefit to customers and to the business overall.  In those instances, the organization may determine that the risk is acceptable and the technology is adopted.  In other instances, an organization may determine that the benefits are far outweighed by the risks and the technology is not implemented.  The point is that careful deliberation is sought.  Unfortunately, the current state of the market (economically difficult coupled with rapid technological change) may lead some companies to adopt a new technology as a “me too” strategy.  The appearance may be that by adopting new technologies companies are showing progress and leadership, which will lead to a competitive advantage.  Many times, though, the rapid adoption of new technology without proper vetting can introduce the “unknown unknown” into the environment.

The idea of the “unknown unknown” can be nicely summed up by saying that “you don’t know what you don’t know.”  In other words, one doesn’t have enough experience or knowledge about a particular subject to speak definitively about what its potential risks might be.  The concept was famously speared after Rumsfeld made his famous “unknown unknown” speech.  While pundits and comedians alike had a good time poking fun at Rumsfeld for his use of the terms “known unknowns” and “unknown unknowns,”  he is referencing something that risk analysts and philosophers alike have discussed for years. The premise of Nassim Taleb’s  The Black Swan is largely concerned with operating in a world in which we don’t know what we don’t know.  You can mitigate the number of unknown unknowns through analysis, evaluation, and research.

One of the ways that companies can mitigate the “unknown unknown” in terms of payment security is to evaluate new technologies against the standards established by the industry.  The standards are established to counter the known risks in the payment environment.  Any time a new technology is considered, a good practice is to consider how that technology would be integrated into the existing infrastructure and evaluate that result against the standards and against data security best practices )which sometimes evolve at a faster rate than the standards do.  Certainly this will not bring to light all possible permutations of risk that might arise from the adoption of a new technology, but it will help address an organization’s compliance status and may help mitigate the risk associated with adopting a new technology.

Dr. Heather Mark, PhD; SVP Market Strategy