Today in the Wall Street Journal, there is an article regarding credit-card security failures. Despite passing certification for the PCI Data Security Standard, several major companies had security breaches. Though we work with small businesses, I am not surprised even large ones fall victim when relying on PCI DSS alone. In my experience, PCI DSS often misses key security issues when dealing with credit card data.
Encrypt, Encrypt, Encrypt
Apparently, Hannaford Bros, a New England supermarket chain, passed their PCI compliance test and received their certificate on Feb. 27th. This was on the same day their credit card processor informed them of a security breach and that they may have lost more than 4.2 million customers records. Okemo also lost customer data.
At both Hannford and Okemo, the problem was an malicious virus installed inside of the network. The PCI standards mandates that all data sent over public networks be encrypted but does not require this for internal or private networks.
If the data had been encrypted from the moment it was captured, this would not have happened. This is security 101.
Small Business Impact
Large companies are often highlighted when security breaches involving customer data develop; however, small business are just as easily targeted. Just because you may have passed your PCI scan required by your processor does not mean your security responsibilities are complete.
PCI is just a start. We often help people pass their scans but we never look into their code or how they are storing their customer information. To keep your customer data secure, you must examine how you handle your client’s information from end to end. The PCI scan assures that basic server security is in place but if your desktop is not running current anti-virus software, then you open a path for attack.
Some key elements we recommend:
- Encrypt sensitive data when possible.
- Use secure transmissions protocols (HTTPS/SSL/SMTP over SSL)
- Don’t store data you do not need.
- Limit access to the data.
- Maintain a secure desktop.
- Enforce safe browsing habits.
These are just some things to consider.
At rackAID we implement all of these systems. When we collect credit card information it is done via a HTTPS link. The data is then immediately encrypted and securely transmitted to our office. Once at our office the data is only stored as long as necessary before it is deleted. Only certain staff members have access to the data and all of those staff undergo background checks. We use FireFox almost exclusively and do not click on suspect links. We also run desktop level firewalls and anti-virus/anti-spyware on all systems. At the gateway we also run additional security measures.
Take Home Message
If you are collecting credit card data online or in your business, review your security operations. Make sure you are taking care of your customer’s data. Major corporations often carry insurance and have the ability to withstand such a security breach. For a small business, losing your clients credit card data could be a death sentence.