Charles Hoff, CEO and Co-Founder of PCI University, guest blogs today on the importance of choosing products, services and vendors that adhere to PCI Compliance standards. PCI University is a Bluefin partner, providing an innovative online platform geared towards helping Small and Mid-sized business owners and franchisors/franchisees understand the complex issues of PCI DSS in plain English.
The 2015 Esurance Super Bowl commercial featuring Breaking Bad’s Bryan Cranston proved to be not only one of the most clever commercials shown during the game, but also one that has far-reaching applications in many areas – including in the field of Cybersecurity. In the commercial a woman goes to her neighborhood pharmacy for a prescription refill. Instead of being greeted by her trusted pharmacist, Greg, she is instead met by actor Cranston’s infamous Breaking Bad alter ego Walter White. The Walter White character, known for being a meticulous methamphetamine producer/dealer, tries to persuade the customer that he is “Sorta like Greg” since they are both over 50 and have a lot of experience with drugs/pharmaceuticals.
Just as there is no substitute for your trusted pharmacist, there is no “Sorta Greg” substitute for real-deal Cybersecurity service providers and products to safeguard merchants against data breaches. Here are the “sorta” things to watch out for:
POS Systems that are “Sorta” Compliant
It is critical that merchants only purchase Point of Sale (POS) systems that have been validated by the PCI Security Standards Council (SSC). To use a non-validated or an older “legacy” system is asking for serious trouble as these systems may lack proper security mechanisms and engage in prohibited and dangerous practices such as storing consumer cardholder information, i.e., magnetic stripe, card validation, code or PIN block data.
For a payment application to be deemed Payment Application (PA) DSS compliant, the software must include 13 critical protections. The good news is that you can verify any POS sales representations that a POS system is “PCI compliant” by simply visiting the PCI SSC site. We know that buying used POS systems may on first blush appear very economical – but it can cost you far more in the long run given that you could be exposing your business and customers to a security breach. One further caveat is that how you operate your validated POS system will determine if it continues to be PCI compliant.
Managed Services that “Sorta” Protect Merchants from Breaches
I met with a restaurant franchisor recently that was excited about an offering their franchisees received from a card processor; the offering provided a means to protect each one of their franchisees from security breaches for only $20 a month. I did some due diligence and learned that all the franchisee operator would receive was a customer survey followed by only a cursory scanning and a “wizard” to assist the franchisee in filling out an SAQ.
This “sorta” PCI managed service offering does nothing more than create a dangerous complacency and a false sense of security on the part of the franchisee who is likely under the mistaken impression that they have checked off their PCI compliance box and are therefore protected from a breach. You can’t cut corners to safeguard your operation. A comprehensive and layered approach implementing EMV (Chip and Pin), P2PE (Point-to-Point Encryption), Tokenization and Employee Education/Awareness is required and will help companies avoid a damaging security breach.
Cybersecurity Insurance that “Sorta” Covers Breaches
There is no shortage of Cybersecurity insurance or “warranties” offered by data security insurers or companies. Make sure that a trusted broker or attorney presents you with a written evaluation of what Is and Is Not covered under the policy. For instance, does your policy cover legal fees along with settlements and judgments, customer credit monitoring services, or the work of your public relations team to manage the damage to your company’s reputation? What about forensic audits, credit card fines and penalties, the cost to reissue new cards to your customers, credit card fraud chargebacks, and remediation service fees? Don’t be “sorta” covered for related breach damages – make certain that your policy coverage is comprehensive.
Consultants/Integrators that are “Sorta” Qualified to Help you with PCI Compliance
Although some PCI consultants may try to impress potential clients with an alphabet of acronyms after their names, it pays to understand what these acronyms stand for and which ones speak to certifications from the PCI SSC. The Council operates a number of programs that “train, test and certify organizations and individuals to assess and validate adherence to PCI Security Standards.” Spend some time on the PCI website to sort out the meaning and distinction between QSA, PA-QSA, ASV, ISA, QIR and PCIP programs. Learning the acronyms and meanings may seem like a daunting process but it will pay off for your business, as a poorly qualified consultant, integrator or installer can do much more harm than good.
“Sorta” Encryption Products that are not PCI-validated Point-to-Point Encryption (P2PE) Solutions
Although it would be nice to think that all payment encryption devices and solutions are created equal, the PCI SSC knows better and they want merchants to be on their guard when considering encryption products. PCI SSC validated P2PE solutions encompass stringent device security, chain of custody, and strict controls which leads to a reduced PCI Assessment. P2PE is different than end-to-end encryption (E2EE), which is not certified by the PCI SSC. Simply put P2PE directly connects to the point-of-interaction with the payment processing company whereas E2EE only indirectly connects systems.
There is only a short list of SSC approved and validated P2PE solutions such as that provided by Bluefin. The fact is that the bar is set extremely high by the PCI SSC as they impose a very arduous and exacting approach that requires the vendor to expend a considerable amount of resources and technological expertise to obtain the coveted certification.
As is the case when confronted with any material risk or exposure to your business, do your homework and be sure that you’re not getting anything other than the “real” deal. No one wants the Cybersecurity equivalent of having Walter White filling their family’s drug store prescriptions.
Charles Hoff is the CEO and Co-Founder of PCI University, an innovative online platform geared towards helping Small and Mid-sized business owners and franchisors/franchisees to understand the complex issues of PCI DSS in plain English. PCI University’s patented and customizable PCI-Q assessment tool has been developed for non-technical users and its animated educational features are offered to card processor merchant customers as well as chain and franchise operators seeking to ensure PCI education and awareness across their enterprises.