The study clearly illustrates how data breaches can quickly damage a business and its ability to attract customers. In fact, this significant percentage proves that customers are no longer willing to make purchases with businesses that aren’t dedicated to the protection of their card information. As these breaches manifest into bad reputations, both potential and loyal customers can be discouraged from choosing your business and as a result turn to competitors. The loss of these profits can have a truly devastating effect on businesses.
The study also uncovered which industries had the most significant turnover in customer retention due to a data breach. The following findings include the top three industries:
• Hotel: 77 percent of previous customers would not return
• Restaurants: 76 percent of previous customers would not return
• Airline Carries: 70 percent of previous customers would not return
The official version of the PCI Data Security Standard v2.0 was released on October 28 by the PCI Security Standards Council. Many organizations, including BHI SecureConnect, received a “pre-read” copy of the requirements back in the beginning of September. Many of us within the PCI community have commented that the new version leaves more to the interpretation of the assessor than previous versions; is this more risk based or just more ambiguous?
If your organization has the funds to consult with a Qualified Security Assessor (QSA), then this could be more advantageous to an organization. However, if you are like many of the hundreds of thousands of merchants out there that do not require an onsite audit, this poses some issues. Just for clarification, all versions of the Self-Assessment Questionnaire were also updated. They have included a new SAQ C (SAQ C-VT) for web-based virtual terminals. (really, they could have chosen a different acronym that doesn’t also equate to “continuously variable transmission”).
There were quite a few wording changes and clarifications, which ultimately, doesn’t have a real effect on the merchant. Some of the changes were items that an assessor had already been taking into consideration; those items were just formally documented in the new version 2.0.
What do you, as a merchant, need to be concerned with? Let’s break down these changes that have an effect on Level 4 merchants:
Wireless networks – WEP was prohibited as of June 30, 2010 under v1.2.1. However, references to WPA/WPA2 have been removed from v2.0 of the DSS; strong encryption is being referenced. WPA has come under fire and may not be considered to be strong encryption; new implementations should definitely be WPA2. The removal of specific encryption technologies gives way for flexibility to adjust to the 3 year PCI DSS lifecycle, or some might consider this to be less prescriptive.
Anti-virus logs – Although the DSS v1.2.1 made reference to generate logs for anti-virus under the testing procedure, the SAQ really only indicated that they must be capable of generating logs. Under v2.0, it now specifies generating audit logs. For those managing their own anti-virus solution, ensure that the logs are being pushed to your logging solution.
Unauthorized wireless access point – v2.0 allows some flexibility to allow “physical/logical inspection of system components and infrastructure”. While this may be easier for smaller merchants to address, the quarterly physical inspection does just as little as walking around quarterly with a portable analyzer. This is a point-in-time assessment and an attacker has 90 days of unmonitored access. Use real-time monitoring for rogue access devices to be on the safe side.
Intrusion prevention systems (IPS) – v2.0 allows the use at the perimeter of the cardholder data environment (CDE) and critical points within the CDE. Here we see the flexibility of implementations (or vagueness). For those that utilize a Unified Threat Management (UTM) appliance, this shouldn’t have too much an effect as one can apply IPS policy on each interface. In larger environments, this can reduce the complexity and cost associated with implementing IPS throughout the organization.
There are a few other important requirements that may affect certain level 4 merchants, especially those that develop their own applications. However, the majority of level 4 merchants are utilizing off the shelf applications, especially payment applications that a merchant should work with to address those particular changes in the requirements.
The changes in v2.0 are hardly bleeding edge, rather a small refinement in the evolution of the Data Security Standard. As a former colleague of mine put it, there is only “0.7.9 worth of changes”. Hardly revolutionary, merely evolutionary.
As always, if you have questions pertaining to the changes in the PCI DSS, consult with your preferred PCI vendor to ensure that changes being implemented address the intent of the requirements.
In business, the only thing more dangerous than not being there for customers is procrastination. It may seem odd that something so basic can really tear a business apart, but when procrastination is blended into the subject of PCI compliance, you can already see the potential for disaster.
You see, it’s human nature to put off things that are difficult. However, the Payment Card industry has set out a list of requirements that have to be followed. By missing those requirements, you could end up losing the ability to process payments — something that every company that really wants to make money has to have in place before they can actually court customers.
However, that future doesn’t have to be set in stone for your business. If you know that you tend to put off important decisions, then you might want a few PCI compliance tips specifically targeted towards procrastinators of all industries and walks of life.
The biggest tip that anyone can give a business owner that knows that have to work out issues with procrastinator is to get someone knowledgeable on their side. The knowledge shouldn’t be just on PCI compliance, but putting in automated systems that can handle the security side of your business while you worry about the profit side. This is the best way to go, and it’s the way that you should follow if you’re really serious about building in as much profit as possible in the long run — why not hit the ground running today?
Do you know who your PCI Approved Scanning Vendor (PCI ASV) is? If you’re like most business owners just really getting a grip on their security, chances are good that you might not know what a PCI ASV actually is. There’s nothing wrong with this, but you will need to get up to speed on exactly who an PCI ASV is, and what they do for your business.
In a nutshell, a PCI approved scanning vendor is someone that can actually tell whether or not you’re within PCI compliance or not. This is important because a business must be a certified PCI ASV before they can declare whether or not you’re actually PCI compliant.
You don’t want to work with a company that has not taken the time to be properly designated with the title. If you’re in doubt of whether or not the security team that you’re working with actually carries this designation, you can check into their credentials yourself. As time passes, you’ll develop a relationship with one company that you can use for all of your PCI compliance needs.
Overall, it’s important to take the time to get a PCI approved scanning vendor on your side, for your company’s sake — why not start looking today?
Security and business go hand in hand — when you know that you want to build a successful business from the ground up, you have to start thinking about how you will protect it from any and all threats. Even if you’ve considered the physical security side of this, you will need to still think about the data security side of it.
Of course, it goes without saying that there are only so many hours in the day, which means that you have to think carefully about how to implement good security while still attending to all of the other demands of your business.
Thankfully, there is actually a solution — enter easyPCI, the automated way to handle security effortlessly within your company. Instead of having to worry constantly about how safe your system is, you can put your trust in the hands of easyPCI and let it handle the security requirements that govern the Payment Card Industry Data Security Standard, as well as just common sense security practices.
You can get a trained professional that is dedicated to not only installing easyPCI on your network, but handling all of the maintenance for you as well. This means that for one low monthly subscription, you can completely rest at ease knowing your security concerns are being handled — automatically, of course! Contact us today!