Saturday, 17 November 2007

Card Merchants and Retailers Miss Security Deadline

Compromises of TJX and high-level merchants such as Polo Ralph Lauren and Lexis-Nexis have focused the spotlight on card data security. VISA and MasterCard have formulated a compliance strategy, which has been ratified by the other card vendor’s to minimise these risks.

These strategies, which are considered good practice within much of the online industry, will come as a drastic change to many merchants. Though these changes should be looked upon as a good thing for the most part, complying with some of the PCI provisions could be difficult for midsize and small merchants.

Card Companies impose Identity Theft Counters and Compliance dates are PAST
The deadline for compliance with the payment card industry in data security standard or PCI is looming (and in many cases they have already past) and many retail merchants are still unaware. Retailers, online merchants, data processes and other businesses that process credit card data have only weeks to become compliant with the standard.

Banks and other issuers of the credit cards will be responsible for ensuring that companies comply with PCI. These providers face fines of up to $500,000 per incident, if a data compromise occurs due to a failure to implement the standards.

The orginal June 30 deadline has passed long ago and the extended deadlines for Tier 2 and Tier 3 merchants are fast approaching. Tier 2 and Tier 3 merchants are those that except anywhere between 20,000 and 6 million card transactions to year.

Though compliance is expected, retailers in the Tier 4 category of the PCI program do not face a deadline as yet. The card companies have been working through a risk-based approach, and no deadline has been determined concerning the smaller merchants as yet.
What is the PCI Anyway?

The Payment Card Industry Data Security Standard, or PCI, lists 12 items that retailers, online merchants, data processors and other businesses that handle credit card data will have to start meeting by June 1. PCI Data Standard combines components of MasterCard's SDP security compliance program and Visa's Cardholder Information Security Program (CISP)
Specifications of the program require that merchants:

  1. Install and maintain a working network firewall to protect credit card data from other networks, including the Internet.

  2. Keep security patches up to date on all systems involved with credit card data.

  3. Encrypt stored credit card data.

  4. Encrypt data sent across networks using acceptable methods.

  5. Use and regularly update anti-virus software.

  6. Restrict access to data by business "need to know."

  7. Assign a unique User ID to each person with computer access to data to provide accountability.

  8. Do not use vendor-supplied defaults for system accounts and passwords and other security parameters.

  9. Monitor and log access to data by unique User ID.

  10. Test security systems and processes.

  11. Implement and maintain a security policy and processes. This includes assigning responsibility within the organisation

  12. Restrict physical access to cardholder information.
The PCI program applies not only to online merchants, but also mail-order, telephone order (MOTO) third party processing agents, "card-not-present" processes, and anyone who stores cardholder data on an electronic system.

Most small merchants will need to conduct an external vulnerability assessment to be compliant.
Why comply with these standards?
VISA argues that the program will provide merchants with a competitive edge. They point to consumer studies which show that customers would prefer to deal with merchants they feel safe with.

For the smaller merchants, this is basically a risk issue. These retailers need to address at the cost of implementing control systems against the cost of business and particularly the cost of not complying.

How does this affect my business?
Many POS systems used by retailers store credit card information for up to a month for backup or settlement reasons. Under the PCI requirements, this information needs to be encrypted.
Retailers will need to review, what data they capture and forward when they scan a credit card in stores. Merchants who store card data for automated processing later, will need to carefully review the systems and the controls around them.

For most small retailers, a quarterly external vulnerability assessment is a basic requirement. With the level of threats on the Internet these days, this can only be a good thing.
How can they make me comply?

The card companies are primarily pushing PCI through the acquirer is such as the banks. As the principle underwriters of the merchants, the banks and other acquirers are responsible for the fines and don’t want to have to accept the liability. Many acquirers are making PCI compliance part of the merchant agreements.

How risk is assessed
For small merchants, the following table will give some idea of the risk and compliance requirements:

* DSS is the Data Security Standards

The scan and questionnaire requirements do not apply to Retail Merchants with terminal applications not connected to a network and/or the Internet and that do not accept, process, store, transmit or view credit card data via a Network or the Internet. POS devices which are networked or which store information for backup or historical processes are not exempt.

Merchants exempt from the scan and questionnaire requirements are still required to comply with PCI Security Standards regarding management and storage of credit card data.

The following table lists the requirements:

*Merchants that use virtual terminals qualify as level 4 merchants.

VISA US has stated that fines can also be issued "if a member knows or suspects a security breach with a merchant or service provider" and doesn't "take immediate action to investigate the incident and limit the exposure of cardholder data".

No comments: