Business and Operations
marketing insights: PCI compliance: Are you ready?
By Michelle Brisebois
It’s every retailer’s and customer’s nightmare. In March 2007, the public learned that computer hackers compromised at least 45.7 million credit and debit cards by infiltrating the network of TJX (the company that owns TJ Max and Marshall’s department stores in the United States).
It’s every retailer’s and customer’s nightmare. In March 2007, the
public learned that computer hackers compromised at least 45.7 million
credit and debit cards by infiltrating the network of TJX (the company
that owns TJ Max and Marshall’s department stores in the United
|With a little information and a good support system, you can make a relatively painless transition to a more secure payment system through PCI compliance.|
From July 2005 until the discovery in December 2006, the
thieves ran amuck in what was touted as a secure network. The hackers
managed to get their hands on information dating as far back as 2003.
It is also believed that the hackers had access to the decryption tool
for their encryption software, making PIN numbers, credit card numbers,
and any other unique identifiers easy to see. Legal documents also
reveal that another 455,000 customers who returned merchandise without
receipts had their driver’s licence numbers stolen. This and many other
security breaches have prompted the credit card companies to band
together to address security standards.
What’s been developed as a result of this breach has implications for
every retailer that takes any kind of card payment and the date of
reckoning is July 1, 2010. This is the date by which U.S. and Canadian
acquirers must ensure their merchants and agents only use PA-DSS
(Payment Application Data Security Standard) compliant payment
applications. Protecting yourself and your customers from theft sounds
harder than it is. With a little information and some well-crafted
support you can make your system much more secure.
The Payment Card Industry Data Security Standard (PCI-DSS) is a set of requirements designed to ensure that ALL companies that process, store
or transmit credit card information maintain a secure
environment. Essentially any merchant of any size that has a Merchant
ID (MID) will be required to comply with these standards. If your
business takes any form of card payment, then these standards apply.
Don’t make the mistake of thinking that smaller businesses are immune
to being targeted – they’re often easy prey. Small merchants with fewer
than 20,000 transactions per year represent two-thirds of all Visa
transactions, and more than 99 per cent of all the merchants that
accept Visa. Many small businesses don’t realize that their POS systems
are storing the sensitive information loaded on the magnetic strip of
consumer debit and credit cards. This information is a windfall for
thieves. Firewalls are weak or non-existent and hackers can have their
way with the data for months before they’re detected.
Typically, card companies pick up on suspicious activity and then
notify the acquiring bank, which functions as the middle man between
the merchant and the card company. The merchant is often on the hook
for the fraudulent transaction and possibly subject to additional fines
for not being PCI compliant. These unexpected costs can add up to such
a significant bill that merchants can be snuffed out overnight.
All merchants fall into one of four levels, with varying degrees of
obligation under the PCI standard. You will be considered a level one
merchant if you process more than six million card transactions a year,
if you have had a security breach in the past or if for some other
reason you are deemed to be at high risk for a breach. A level one
merchant must submit to an external audit and quarterly scans of its
data security systems.
Level two merchants process one million to six million payment card
transactions per year and an annual PCO self-assessment questionnaire
and quarterly network scans must be performed by level two merchants or by independent approved scan vendors.
Level three and four merchants process fewer than one million
transactions per year and must follow the same protocol as level two
merchants to be compliant. If your business does suffer a breach of
security and you have taken the steps to become compliant and followed
the required documentation procedure, then you could save both money in
fines and your reputation with your customers. Compliance isn’t hard to
Five steps to compliance
Start by downloading a copy of the questionnaire so you can see exactly
what security measures will be expected of you. You can find copies of
the questionnaire on MasterCard and Visa websites as well as at
There are five versions of the questionnaire and what you use depends
on what kind of credit card processors you have (online, phone or
Secondly, retailers will need to get a free scan from approved scanning
vendors. Scan results will include a list of vulnerabilities ranging
from none to urgent. Those vulnerabilities ranked at severity levels of
three (high), four (critical) and five (urgent) will be reported on
your free scan and must be fixed. Make sure you call a scanning vendor
that is on the approved list in order to avoid allowing thieves into
your system under the guise of compliance testing. Submit the proof of your passing scan to your acquiring bank.
The third step to compliance is to take steps to address any
weaknesses. If the list of your store’s vulnerabilities from your free
scan is too long, consider switching to an off-site, third-party credit
card processor such as PayPal.
The fourth step may be to hire a Qualified Security Assessor (QSA) to
help you address your list of vulnerabilities. QSAs are certified by
the PSI Security Standards Council to help merchants become compliant.
Lastly, continue to be diligent. It’s a given that these thieves won’t
just roll over and become moral overnight because card companies, banks
and retailers decide to step up their game. As we get savvier, so will
the crooks. The best defence is a good offence, so know what
information your system stores and if you don’t need it, get rid of it.
If you do need it, guard it closely. After all, it’s not just your
profitability that’s at stake, it’s your reputation.
Michelle Brisebois is a freelance writer and marketing professional
with experience in the food, pharmaceutical, financial services and
wine industries. She specializes in retail brand strategies.
|Areas for regular review|
|•||Immediately change default passwords when installing any program|
|•||Have vulnerable portions of programs removed if not needed|
|•||Do not store unnecessary cardholder data on your site|
|•||Check security bulletins for SQL Injection warnings before installing a new program|
|•||Keep software up to date with all patches and upgrades|
|•||Use activity logging on your online store files|
|•||Check log files for suspicious activity that you did not authorize|
|•||Do regular vulnerability scans, even if you are not required|
|•||Use a firewall and secure encryption|
|•||Use and keep up-to-date anti-virus, anti-spyware and anti-adware programs|
|•||Create an Information Security Policy for employees and contractors|
|•||Shred paper documents containing credit card information|