The Bottom Line: Beware the Hand That Feeds You

May 2010: A Note from Jeff Mack
The Bottom Line: Beware the Hand That Feeds You

As a merchant, you have enough to worry about just driving demand for your goods and services, ensuring that you have adequate supply to meet the demand, and doing it all while maintaining positive cash flow. Accepting credit card payment from customers can go a long ways toward enhancing the cash flow concern while also encouraging increased sales.

We know that there is no free lunch with credit cards, as we are all familiar with credit card transaction fees. However, now there is an even bigger concern requiring our attention. I am referring to the July 1, 2010 deadline when all merchants must use only PA-DSS compliant payment applications. (See our PCI-DSS Requirements article in this newsletter for background.) The PCI-DSS requirements are a broad set of requirements that span both electronic and physical security practices. Think of PA-DSS requirements more in terms of the software tools and applications that you may use to process credit card payment transactions, and as a subset of PCI-DSS requirements. A PA-DSS compliant application will ensure that back-of-card data, such as magnetic stripe, CVV2, PIN data, or authorization data, is never stored.

You may be wondering what all the fuss is about and why these compliance measures are suddenly so critical. Allow me to share some startling statistics with you from Trustwave, an organization specializing in information security and compliance.

On average, 156 days lapse between an initial breach and when it is detected.
Eighty percent of the incidents are detected by a regulating body such as a credit card association. The other 20% are identified via self detection, public detection or law enforcement.
The hospitality industry is the victim of 38% of the intrusion incidents, financial services 19%, and retail 14%.
Companies in the 1 – 499 employee range are the most highly targeted.
99% of the time the intruders are after payment card data.
Elimination of stored data reduces exposure by a factor of approximately 7:1.
Remote access applications and 3rd party connections provide 87% of the initial entry ports for breach.
Malware is used in 54% of the cases to gain unlawful access.

What can be gleaned from these statistics? It’s obvious that, as merchants, we are in possession of highly sought after information. The people seeking the information are very smart and will go to almost any lengths to get it. Once they get it, we don’t even know they took it until many months later. Many of our companies are in the highly targeted zone in terms of company size and industry. If we have wired or wireless connections to the outside world, we have exposure.

So what can be done to mitigate or remediate our risk?

Utilize only PA-DSS compliant payment applications.
Do not store any back-of-card information.
Monitor your third party relationships that connect to your systems.
Ensure that all your systems are properly protected with appropriate firewalls and security measures. Make sure you are using the latest and most secure wireless encryption technologies (do not use WEP). Make sure all your systems are utilizing solid anti-virus tools and keep them updated.
Encrypt your data.
Educate your staff.
Lock down user access.
Use multifactor authentication wherever possible.

For a good primer on the PCI compliance issues, read PCI for Dummies (PDF).

Credit cards are great enablers of business today. As their usage has become prolific around the globe, the unseemly elements of society have learned to exploit the weaknesses in the system. Adhering to the new compliance requirements is simply a measure we all must take to armor ourselves against new and rising threats.

The bottom line… credit cards are indispensable tools in the business world and we must ensure that we are using them wisely!

Integrated Computer Systems Support, Inc