From the Perspective of Credit Card Merchants & Companies.
Understanding Your PCI Responsibilities & Obligations
No longer will Point of Sale Providers be at arm’s length for the responsibility of helping merchants meet their PCI-DSS security guidelines.
Liability for these failures are shifting with the advent of the PCI-QIR (Qualified Integrator and Reseller) program to involve 3rd parties in the responsibility chain and foresee further regulatory shifts in future PCI regulatory implementations. The QIR program today is the first step and is only what can be best described as an awareness program for Point of Sale Providers implementing payment applications. It is the tip of the spear when it comes to understanding what customers are faced with when they are required to fill out the required SAQ document for the payment brands. The QIR program bring the POS Provider one step closer to that process and therefore into the scope of liability in a breach.
No longer will POS Providers be at arm’s length for the responsibility of helping merchants meet their SAQ security guidelines. And, to be honest the SAQ-D is not something a retailer is comfortable to complete without knowledgeable assistance. The SAQ is really only a short version of suggested requirements and awareness doctrines.
Navigating Through Regulations & Your Liability
The PCI Security Standard Council is “regulatory in nature” and it is part of the “terms and conditions” businesses agree to if they accept Credit or Debit payment transactions.
This costs nothing to sign, however, the liability that can stem from not strictly adhering to the regulations can destroy not only the business that accepts credit cards but also third party businesses could be implicated. This can also create mistrust and lack of confidence issues with customers affecting brand loyalty.
Now for the harsh reality; the merchant has entered into an agreement that obligates them to provide certain safeguards to protect customer data. This NOT only pertains to credit card data, as state and federal laws can extend this to PII ( Personally Identifiable Information, e.g. Name, Address City, State, Zip, Phone Numbers, SSN’s. and email addresses) if used in conjunction with a financial fraudulent transaction. The actual information that constitutes PII varies from state to state.
The ugly truths, a massive number of businesses live with this dark cloud looming and are totally unaware of the real consequences. A smaller number but still staggering is the group that is aware that there is a risk, but believe that it will never happen to them and take this as an acceptable risk of doing business. A small percent believe they are protected with a vendor supplied firewall and anti-virus software. Lastly, there is a very small minority, probably less than 1% of all businesses that are aware, take all the appropriate precautions, some even going above and beyond to protect themselves from an event like this from happening, but deep down they know in reality, it is still possible to miss a successful attacker.
Statistics Create More Urgency
99% of all things connected to the internet have been or are being attacked, the number that have been compromised is unknown but believed to be staggering.
More than 80% of the worlds data was created in less than 2 years, and 80% of the world’s population will own a smart phone or device within 5 years. Currently only 20% own a mobile phone, this includes flip phone, not only smart phones.
As you can see DATA and BUSINESS cannot be separated anymore and the protection of that data is not only complex but expensive. The motto of this story is that business owners need greater protections, they are being mandated through many initiatives and you have a duty to your business and customers to protect their sensitive data.
There are thousands of ways to gain access to sensitive data, a firewall and antivirus are 2 ways to stop some of these attacks, but the truth is they are mere hindrances to the bad guys if not configured correctly and maintained regularly. That still leaves thousands of other vulnerabilities available to them and they do not have to be all that smart to be successful. To list them would be pointless as they change tactics and new exploits are found every hour of every day.
- 99% - Devices Vulnerable to Attacks
- 80% - Amount of World's Data Created in Last 2 Years.
- 80% - World's Population with Smartphones in 5 Years
There is no substitute for experience:
No solution will guarantee 100% safety as computing is only going to get more complex in fact of 500% in just five years with the advent of the Internet of Things.
This will create an untold number of new smart devices connected to the internet and to our daily lives. You vigilance should have already started and security should be one of the primary concerns of your business.
Experience is not something you want to learn the hard way, you are going to need the right legal representation fast. You are going to need a cyber defense team to be on YOUR side, as there will be one engaged against you. Forensics are like the television show, they can create very expensive false positives, each must be explored. It is easy to conject the how, when and for how long an attack has transpired.
We have seen it first hand and have spent tens of thousands of dollars chasing these phantoms. You need to have a breach plan as part of your disaster preparedness that include press interaction. Having the experience of a company that has survived this process being your ally and guide in this fight is priceless. Preventing it from happening to your business can be a serious and expensive undertaking, but you can mitigate the damage faster and survive the devastation that being unprepared will likely bring to your business and customers in no action is taken.
Start By Protecting Your Business Today
You do have it in your power to control and greatly reduce your businesses threat profile along with the associated risks.
1. Understand Your Vulnerabilities.
You need to understand your vulnerabilities in relationship to your PCI. Vulnerability scans and proper documentation of the results of these scans are crucial for validating your compliance to security regulation you are validating.
2. Understand the Big Picture
Educate yourself on how to remediate those threats and understand the big picture of policies that you will have to adopt in your company.
3. Control Access To Your Environment.
You learn how to control who has access to your systems and how to hold them accountable.