The ability to accept and protect credit cards is essential. Data breaches are common in today’s environment. Security Affairs’ Data Breach Quickview found that 53 percent of the data breaches in 2015 occurred in the business sector, and governments, nonprofits, educational and medical communities made up another 39 percent of breaches.
The costs of just one attack can be staggering, particularly when they involve a breach of credit card information. These types of incidents may include fines levied by Visa, MasterCard or other payment brands that are usually passed along to the breached company. There are also costs associated with the forensic investigation used to determine the source of the breach, the nature of the information stolen, the number of cards involved and the extent of the compromised servers. In addition, the company often must cover costs associated with reissuing cards and repaying the actual losses. Finally, there are the costs of remediation work, such as rebuilding compromised servers, working with law enforcement agencies and submitting to the credit card issuer a detailed plan for fixing the security problem.
Fortunately, there are several ways you can secure your credit cards and mitigate your risk of a breach.
Protection for Your Company and Your Customers
Companies that facilitate the use of credit cards are permitted to store certain types of data, including the cardholder’s name, address, ZIP code and the card’s expiration date. Storage of data such as the sensitive authentication CVC2/CVV/CID code, data that make up the full magnetic stripe and the customer’s PIN or PIN Block is prohibited.
The best way to protect consumer cardholder data is simply not to store them. However, if you absolutely need to store the data, then the Payment Card Industry Data Security Standard (PCI DSS) provides the safeguards that you need to put in place to protect that data. PCI DSS was developed as an outgrowth of data security efforts by Visa’s Cardholder Information Security Program and MasterCard’s Site Data Protection Plan and embraced by American Express, Discover Card Services and the Japan Credit Bureau.
As a result, all merchants that process, store or transmit cardholder data must comply with the standard.
Understand the Standard
The individual card brands require that many service providers and large merchants undergo an annual payment card industry (PCI) assessment conducted by a PCI Security Standards Council-approved Qualified Security Assessor (QSA) in order to demonstrate they are compliant with PCI DSS. Large service providers and merchants also must submit to quarterly network vulnerability scanning and penetration testing.
What constitutes a large merchant or service provider depends upon the number of payment card transactions the company processes and whether it has ever been the victim of a data breach involving credit card information. VISA places the most stringent PCI DSS requirements on merchants that process more than 6 million VISA transactions per year and service providers that process more than 300,000 transactions per year.
Companies that handle a smaller number of payment card transactions must still comply with the PCI DSS, but they can perform and submit the results of an annual self-assessment that demonstrates their current state of compliance. Self-assessments must meet the standard. It is important to note that the assessment is a “point in time” assessment that must be performed every year.
Credit card companies and sponsoring banks will hold organizations accountable for the information provided in the self-assessment in the event of a breach. Those that fail to meet the standards can be fined for non-compliance, may be subject to increased processing fees and can even have their ability to accept credit card payments revoked.
Focus on the Six Control Objectives
Whether you are subject to external reviews or you are conducting a self-assessment, you should ensure your PCI policies address the following six control objectives:
1. Build and maintain a secure network
Companies must install and maintain an effective firewall configuration that protects internal servers against direct access from the Internet. This often involves employing separate servers for credit card transaction processing and segregating them from other servers by a firewall. In essence, network segmentation shrinks the security footprint so companies have fewer credit card servers to protect from exposure. Implementing hardening standards for servers – such as changing default passwords and other security parameters for all systems that interface with credit cards – also is required.
Your company should also be sure to change the vendor-supplied default passwords because hackers may know them; default system passwords may be discoverable through a Google search.
2. Protect Cardholder Data
PCI DSS will help protect stored cardholder data, but compliance does not guarantee that you will never experience a security breach. It is critical to make sure that if the worst happens, no sensitive data are compromised. There are two ways to achieve this. First, ensure that sensitive authentication data, such as CVV, CVC and CIDE are never stored after the transaction is authorized. Second, do not store the contents of the magnetic stripe on the back of the card as this data could be used to create a fake credit card. Finally, ensure that card numbers are always stored so that they are unreadable by an intruder. This can be achieved by encrypting and masking stored card numbers.
3. Maintain a Vulnerability Management Program
Your company should use and regularly update antivirus software and vendor supplied security patches. You should only use systems that have been rigorously tested prior to deployment.
4. Implement Strong Access Control Measures
Restrict access to cardholder data and only allow persons with a business need to access the systems processing, storing or transmitting card transactions. It is necessary to assign a unique user ID to each person with access to the above systems in order to establish an audit trail for a forensic investigation.
5. Regularly Monitor and Test Networks
Access to network resources and cardholder data must be tracked by a unique user ID. Security systems and processes also must be tested regularly. This includes quarterly network vulnerability scanning and penetration testing.
6. Maintain an Information Security Policy
Finally, every entity must develop and maintain a data breach response plan, use only PCI DSS compliant service providers and ensure the organization adheres to a formal policy that addresses information security.
Compliance Can Be Challenging
To assist in your compliance efforts, consultants are available to conduct PCI assessments that show precisely where you are or where you do not comply with PCI DSS. A third party can also provide vulnerability scanning, application penetration testing and other critical services.
By understanding areas of weakness, implementing pivotal information security practices and continually monitoring the effectiveness of these efforts, your company can achieve compliance. For more information, please contact us.
Copyright © 2016, CBIZ, Inc. All rights reserved. Contents of this publication may not be reproduced without the express written consent of CBIZ. This publication is distributed with the understanding that CBIZ is not rendering legal, accounting or other professional advice. The reader is advised to contact a tax professional prior to taking any action based upon this information. CBIZ assumes no liability whatsoever in connection with the use of this information and assumes no obligation to inform the reader of any changes in tax laws or other factors that could affect the information contained herein.
CBIZ MHM is the brand name for CBIZ MHM, LLC, a national professional services company providing tax, financial advisory and consulting services to individuals, tax-exempt organizations and a wide range of publicly-traded and privately-held companies. CBIZ MHM, LLC is a fully owned subsidiary of CBIZ, Inc. (NYSE: CBZ).