When it comes to safeguarding your business, begin with one assumption - you have already been breached.
As another year passes, the state of credit card processing security in general remains bleak.
On December 1st, 2014, the Privacy Rights Clearinghouse (www.privacyrights.org)reported that within the retail and restaurant business type, 40 major breaches with over 58 million stolen records have occurred year-to-date. While these breach numbers are astounding, even more so is the additional 225 reported cases in which 8 million more records were hijacked via small business operations. Further, consider that these large numbers represent only a fraction of the total breaches and records stolen as most go unreported to the public. Any businesses who accept credit or debit cards as a method of payment, are a potential breach source. As the sophistication of malware increases, more smaller businesses become vulnerable.
One of the most significant barriers to cardholder data protection is that business owners are generally still confused regarding what ‘PCI’ is and how to become ‘PCI compliant’. I often run across business owners who believe that their business is ‘PCI compliant’. To that response I ask to see a copy of this year’s SAQ. The reply I almost always receive in turn is, "What is a SAQ?" A plethora of acronyms and fine print being added to processing agreements and industry banter has not served to clarify the situation for business owners.
PCI EXPLAINED
In September of 2006, American Express, Discover, MasterCard, Visa and JCB came together to create the Payment Card Industry Security Standards Council (PCI SSC), most often referred to as ‘PCI’. The purpose of this new, independent counsel is to standardize data security for credit card processing merchants with the goal of reducing fraud. Realizing that one set of rules would not appropriately serve all, merchants were categorized into four different levels based on number of card transactions in a given year.
THE SAQ
Annually, all merchants are required to perform a business-wide security assessment. There are different versions of the assessment depending on the volume of the business’s credit card processing. Level 1 Merchants are businesses with the highest level of processing, greater than 6 million Visa or 2.5 million American Express transactions per year. Level 1 Merchants are required to hire an outside Qualified Security Assessor (QSA) who is responsible for creating a Report of Compliance (ROC). The vast majority of retail and hospitality entities are categorized as Level 4 where the processing must only stay below 1 million Visa transactions per year and/or fewer than 20,000 Visa e-commerce transactions. These business are required to complete the Self Assessment Questionnaire (SAQ) annually. Additionally, the PCI SSC requires all businesses to have their network firewall ports scanned by an Approved Scanning Vendor (ASV), to insure outside network access is blocked.
TOOLS TO STEAL
Malware is a software program that is designed to infiltrate a computer system in order to steal, manipulate and or destroy data. Such programs are becoming more stealthy, able to enter computer systems via attachment on an email, by USB key inserted into a port or even by a cell phone plugged into a computer for charging purposes. The majority of the credit card data breaches over the last two years have been blamed on malware intrusion. Typically, a credit card is swiped via a magnetic swipe card reader, where the data enters the point-of-sale terminal unencrypted. Data encryption is typically the responsibility of the point of sale software. However the data travels thru the computer hardware and into the computer’s software operating system before it is accessed by the point of sale software, encrypted and transmitted to the acquiring credit card processor. These malicious software programs "scrape memory", recording and storing the credit card data swiped before the data can be encrypted by the point-of-sale software.
BEST PRACTICES
To date, it is not possible to prevent a malware program from infecting your system. However, there is one, and only one way, a business can protect itself and prevent malware from doing it’s job. The solution is Point-to-Point Encryption (P2PE), a combination of hardware and software technology in which credit card data is encrypted within a chip in the magnetic swipe reader prior to reaching the point-of-sale terminal. The encrypted data from the reader then safely passes through system, whether infiltrated by malware or not, and continues on to the credit card processing company where it is decrypted behind their firewall. Companies like Magtek® and IDTech® have both created swipe read heads that encrypt data utilizing 3DES encryption technology, meaning the data is not encrypted once but ciphered three times. No readable data is available from the time the card is swiped to when it lands with the processor, preventing thieves from stealing and accessing your customers’ credit card accounts.
EMV EXPLAINED
P2PE should not be confused with another security technology that is currently the buzz of the U.S. news media - EMV. The acronym EMV stands for the three credit card brands that developed this security standard - Eurocard, MasterCard and Visa. This technology was first created and released into the European marketplace in the 1990s. A debit or credit card with EMV includes a computer chip that is embedded into the plastic card. A card inserted into an EMV chip reading port 'interrogates' the chip, creating a token that identifies the card as legitimate. This token, along with the credit card’s data, is then forwarded to the credit card processing company for approval. It is important to note that the purpose of EMV is only to authenticate a credit card. The integrated security chip significantly increases the pain and cost of recreating a counterfeit card, thus devaluing the stolen credentials. However all of the account information still remains exposed via the magnetic stripe which will still be found on the back of the card. Only just recently are U.S. banks issuing new credit and debit cards with this security chip and the first disbursement wave is being issued to customers with known international travel needs and history.
EMV marks itself as an important security feature for reducing acceptance of a stolen card but by no means is a replacement for P2PE as a method preventing data breach. This is a critical point to understand as publicity and angst grows with the “EMV mandate” on October 15th of 2015. It’s also important to understand that this new regulation is actually a liability shift mandate, not a hardware requirement. Merchants will become liable for any counterfeit credit cards transaction when accepted through a point-of-sale terminal that did not utilize EMV, but a merchant will only be liable for that single fraudulent transaction and its dollar amount.
CONFIRMING PROTECTION
As discussed, P2PE is the only method by which to protect your business and your customers’ credit card data from a point of sale system breach. Start your own security assessment by asking your point of sale provider and credit card processing company for confirmation that P2PE is in place with your system. As with any business or insurance action, this assurance is always best received in writing. However you do not have to take their word for it. On any Windows-based point-of-sale system, you can self-test for P2PE. Simply, connect a USB keyboard to a touchscreen terminal, depress the Windows logo button, and start the WordPad program found under Programs. With WordPad running on the screen, swipe a credit card through your credit card reader. If track data appears, such as the first and last name of the cardholder, your system is not P2PE encrypted.
This article is part 1 of a 3 part series on processing security for the point-of-sale industry. In coming articles, we will discuss rogue employees as another threat to security and the true cost of a data breach for a small business.
Lance Bell is the President and CEO of ServingIntel, Inc., a hospitality and retail technology company internationally headquartered in Chicago, IL. Bell has 8 years of experience as a restaurant operator and owner, and 18 years of experience as a leader in the hospitality and retail technology industry.
