Payment Card Security - What Every Dealer Should Know!4 Aug, 2010 By: Charles L. Nault imageSource
Payment Card Security - What Every Dealer Should Know!
By Jim Phillips, CEO, Digital Gateway & Sean Kramer, Pres. & CEO, Element Payment
Do you store, transmit or process cardholder data such as credit cards, debit cards, payment cards or checks?
Is PCI compliance a term you have never heard of or a topic you are perplexed by? If so, keep reading because the information below could save you tens of thousands of dollars and hundreds of hours.
As you are probably aware, credit card fraud is a significant problem. It seems like you can’t get through a work week nowadays without hearing about someone’s credit card number being stolen or a company having to issue a statement that their systems were “hacked” and thousands, if not millions, of customers’ credit card numbers were compromised. In recent years, the compromise of credit card and personal information has cost major retailers hundreds of millions of dollars in fines and compensation to customers. This trend hasn’t gone unnoticed by the major credit card brands; in 2005, banks that issue credit cards lost $1.14 billion due to credit card fraud and in 2006, that annual loss increased by 10%.
The Payment Card Industry and Data Security Standards
These wince-worthy statistics played a critical role in driving the major credit card brands, Visa, MasterCard, Discover, American Express and JCB to establish the Payment Card Industry Security Standards Council, also known as PCI SSC. The PCI SSC, founded in 2006, is responsible for the creation, maintenance and distribution of education for data security standards that promote higher levels of security around credit card numbers and other sensitive cardholder data. The key set of requirements is the Payment Card Industry Data Security Standard or PCI DSS for short. PCI DSS is a set of twelve requirements that all businesses—including government entities—must comply with in order to accept credit and debit cards from their customers. Under the PCI DSS, merchants are required to:
Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications
Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes
Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security
Not too bad right? Only 12 requirements—but each of these requirements have sub-requirements, over 200 in all, which, candidly speaking, could drain your will to live if you go about trying to comply with these requirements without reading the rest of this article.
Regarding the PCI DSS, each of the major credit card brands have agreed to make these requirements an essential part of their own data security programs, meaning that these are the technical requirements they expect merchants (like you) to adhere to. The card brands are more serious than ever about stressing the importance of compliance. In 2009, MasterCard announced their own fees of up to $25,000 for merchants who are non-compliant with the card brand’s compliance regulations. The crackdown is far from unjustified when you consider that 81% of organizations suffering data breaches in 2008 were not PCI compliant, according to a 2009 Data Breach Investigation report by Verizon.
Many of you are probably saying to yourselves, “I haven’t been told that I need to be PCI DSS compliant by my bank or processor, let alone any of the credit card brands …” The most likely reason for this is because you are categorized as a “Level 4 Merchant” which means you process less than 20,000 e-commerce transactions through a single major credit card brand or you process less than 1 million total transactions a year through a single major credit card brand. Level 4 Merchants have been provided leniency up till now when it comes to PCI DSS compliance because the payment brands generally have “bigger fish to fry,” but starting this year a related set of standards also originating from the PCI SSC has come into effect called the Payment Application Data Security Standard, also known as the PA-DSS. The PA-DSS is a set of requirements that apply to software applications that are used by merchants to process, store or transmit information at the point-of-sale (POS). The PA-DSS is considered to be just as, if not more costly to comply with than the PCI DSS. A recently passed deadline may soon bring Level 4 merchants into a situation where their acquirers (banks, processors, gateways and other financial entities with a stake in the merchant’s payment processing) will be forcing them to comply with PCI DSS and by necessity, only use PA-DSS validated payment applications or face stiff fines and a potential end to their ability to process payments.
The Cost of Achieving PCI Compliance
Now let’s talk about the about some of the costs attributed to achieving PCI DSS compliance: In 2007, Gartner estimated that Level 1 Merchants (organizations processing more than 6 million transactions per year of a specific credit card brand) and Level 2 Merchants (processing between 1 and 6 million transactions per year) were each spending hundreds of thousands of dollars assessing how much of their organization, infrastructure and processes would be affected by PCI DSS requirements.
Level 3 Merchants (processing between 20,000 and 1 million e-commerce transactions per year) were each spending tens of thousands of dollars assessing their compliance with PCI DSS requirements. On top of the costs for assessment, there was the additional work necessary to actually achieve PCI DSS compliance; work that would include IT security improvements like new firewalls, two-factor authentication for remote access, periodic internal/external network scanning, system logging, system hardening and file integrity monitoring. At the time, Level 4 Merchants (processing less than 20,000 e-commerce transactions or less than 1 million total transactions per year) were not aggressively in the “cross-hairs” of PCI DSS compliance enforcement; however, if the expenses presented thus far are any indication, the cost of PCI compliance for the smallest of organizations trying to achieve PCI DSS compliance through traditional approaches would be difficult to work into a small to medium size business’ annual IT budget.
The Promise of Hosted Payments, Encryption and Tokenization
So far this has been a bleak picture but it is a necessary one for every merchant to understand. Fortunately, there are new technologies available to your organization that can deliver much more affordable approaches to PCI DSS compliance by moving the responsibility of storing, transmitting and processing of cardholder data to an outsourced hosted payment solution that employs the use of tokenization and encryption.
Essentially, there are now solutions available that will allow organizations to encrypt and move all cardholder data to a PCI Level 1 secure facility where the cardholder records can be securely stored. In return, encrypted tokens (random but unique strings of letters and numbers) each representing a stored cardholder’s record (i.e. credit card number) are passed back to the merchant. Those tokens can then be used much like credit card numbers; the major difference would be that merchants would no longer be exposing sensitive cardholder data to hackers or other malicious entities set on stealing a business’ sensitive payment processing data.
Since with this technology, merchants are no longer directly handling actual cardholder data electronically, and, as a result, no longer be storing, transmitting and/or processing credit card data through a payment application, the PCI DSS requirements which mandate that merchants use only PA-DSS validated payment applications would no longer be applicable to your organization. Instead, a highly secure and Level 1 PCI compliant third party would handle those activities on your organization’s behalf and in so doing, take on the risk and liability associated with handling cardholder data and the bulk of the costs for continued PC IDSS compliance. The extent by which your organization decreases the cost and simplifies its PCI DSS compliance will depend on your organization making policy/process changes (such as not storing credit card numbers). Given that your organization can enforce and maintain its new policies, liability for any potential data breaches to cardholder data should no longer have any direct negative impact on your organization.
Without the advent of hosted payments technologies, tokenization and encryption, your organization would have little recourse but to try to achieve PCI DSS compliance through traditional approaches which would likely cost your organization a lot more time and money year after year. Ironically, even if your organization achieves PCI DSS compliance while still storing, processing and/or transmitting cardholder data, your business may still be at risk.
The number one reason behind both cardholder data security compromises and the failure to comply with PCI DSS is the inability of businesses to protect stored cardholder data. In fact, 89% of companies that were breached in 2008 failed to effectively protect sensitive information, according to the 2009 Verizon Data Breach Investigation report.
While achieving PCI DSS compliance is a huge step in the right direction, experts recommend implementing solutions that exceed these requirements by completely removing cardholder data from the merchant’s place of business.
A Real Solution for Dealers
After months of searching for a cost effective way to address this issue, Digital Gateway, in partnership with Element Payment Services, are now able to offer customers encryption of cardholder data and PASS tokenization technology through an innovative processing technology called Hosted Payments.
Hosted Payments completely removes all sensitive cardholder data from e-automate. Not only does this technology exceed the stringent PCI DSS and better protect your business, but it also will significantly simplify and reduce the cost of PCI DSS compliance for dealers.
The fact of the matter is that many dealers could not survive even a single data breach. Conversely the traditional costs of trying to protect your business against those data breaches could push many dealers into bankruptcy.
Thankfully, there are now affordable ways to tackle both ends of this issue leaving your businesses to worry about more important things…like making money.
Jim Phillips is the CEO of Digital Gateway. Visit www.digitalgateway.com for detailed information. Sean Kramer is the President & CEO of Element Payment Services, a member organization of the PCI Security Standards Council. Visit www.elementps.com for more info.