If you read about the recent Congressional PCI hearings, you know just being PCI compliant doesn’t equal security. PCI compliance is only a point-in-time measurement.

So…what’s a small- or medium-sized merchant to do?

After all, the PCI compliance process can be challenging enough. But now, it’s become crystal clear that retailers, even the smallest of ones, have to make sure they’re going above and beyond what the credit card companies mandate.

Remember the Hannaford Bros. breach last year? Hannaford was certified PCI compliant by a third-party assessor—one day after the grocer was notified of massive system intrusions that had occurred months prior. The likely cause? The hackers’ malware intercepted data on magnetic strips as they were swiped by customers.

That doesn’t mean PCI compliance is worthless. Not by a long shot. In fact, Visa maintains that no company suffering a breach has been proven to be PCI compliant at the time of the compromise. It’s important to remember that PCI security standards are industry best practices that have protected tens of thousands of merchants—and cardholders—against malicious behavior. 

 But these standards still have room for improvement. The PCI Security Standards Council is continuously seeking feedback from merchants, processors and other industry stakeholders on ways to strengthen the standard. To this end, the council has recently commissioned a study on emerging technologies that could further protect cardholder data. 

The PCI data security standards, according to a recent report by the Society of Payment Security Professionals, “must be recognized for what (they are)—a tool in the protection of data rather than the last line of defense.”

I know it’s easy to put security on a lower priority list, especially if you’re a small retailer. But if you are a smaller retailer, you’re a bigger target. That’s because savvy hackers know you have fewer resources on hand, including money and time, and are often running older, unsecure payment application versions.

And trust me, it’s well worth your money and time to take security seriously. If a breach has been detected in your system, you may be responsible for:

• A “forensics” examination, which can cost $10,000 or more, according to www.pcicomplianceguide.org.
• Between $5,000 to $50,000 (or more) in compliance fines.
• Legal fees.
• Up to $10 per card for replacement.
• Complying with breach notification state laws as applicable.
• Restoring your customers’ confidence.

Total costs for a breached “Level 4” merchant, or those processing fewer than 20,000 e-commerce transactions annually and all other merchants processing up to a million transactions, average $36,000 and may be catastrophic for small businesses.

So, what can you do to prevent the hassles and potential business killers of a breach? First, let’s address a few things smaller merchants must do to become compliant:

• Complete an annual Self Assessment Questionnaire.
• Pass quarterly vulnerability scans (merchants with externally facing IP addresses).
• Develop in-house information security policies.
• Launch security awareness training for you and your employees.

Don’t approach PCI compliance with a “check-the-box” mentality. Use it as an opportunity to maintain a high security posture and make it part of your daily routine.  Remember, defending against criminals is not a one-time event, it’s perpetual.  

Of course, the burden shouldn’t be completely up to retailers. Banks, processors, gateways, credit card companies and security providers all have to do a better job at coming up with new methodologies, technologies and education programs to help you better protect your business and your customers’ important information.

Congress agrees.

At the hearing, a number of suggestions came up, including the need for the United States to adopt encrypted PIN technology and smarter credit cards. For years, several European countries have been using chip cards, which have small computer processors on them. Chip technology can protect against “skimming,” which involves the copying of private information from the magnetic stripe. A chip, on the other hand, cannot be copied.

According to Rep. Yvette Clarke, chairwoman of the subcommittee that held the hearing, such technologies can help reduce incidences by nearly 70 percent!

Here are some other steps advocated by the Society of Payment Security Professionals:

• The reduction of sensitive data storage. The less crucial data you have on premise, the less data can be stolen.
• The adoption of a more structured IT governance program. This would push us from a system of simple compliance to “real security.”
• The deployment of a more collaborative approach to address security issues. By sharing information, new security issues and fixes will arise.

I want to hear from you. What needs to be done to improve the PCI compliance process? How can ControlScan help educate you on what you need to do to become PCI compliant? And what can be done to improve security at our nation’s retailers?

Until Next Time,

Joan,
The eSecurityDiva