Top 5 Questions You Should Ask Before Letting Firms Process Your Credit Cards
February, 2015
By Bob Youakim
Editor’s note: This article, written as a blog post, was featured late last year on LinkedIn’s Information Security section. JVH
Target. Home Depot. Jimmy John’s. Staples. UPS. Michaels. P.F. Chang’s. What do these businesses, ranging across a variety of industries, all have in common?
It’s not increased earnings. These companies made headlines for their struggles with data breaches that exposed customers’ personal information, including credit card and Social Security numbers, and more.
In the parking industry, it hit even closer to home with companies such as SP+ and DataPark getting hacked and exposed. No matter what your line of business, or whether you’re a business owner or customer, these aren’t the headlines you want to read.
The scary thing is that many of these businesses had credit card information stolen despite having undergone the industry standard compliance process known as Level 1 PCI-DSS, or Payment Card Industry Data Security Standard. These security failures suggest that certification [alone] is not enough to prevent a cyber-attack.
Certainly, having an independent body such as PCI to set and govern the standards that protect credit card security is valuable, worthwhile and a step in the right direction. However, having gone through the process from both sides (as a former auditor and with [my company, Passport Parking] obtaining compliance), I am concerned that this certification is marketed as protecting consumer credit card information and preventing fraud.
The PCI standard is a good framework to follow, but relying on quarterly or annual audits and testing as the only security measures won’t cut it these days. That is the bare minimum. You need to get [reassurance] that those firms have an on-going process in place if you want to avoid the bad press and red tape that so many other companies have experienced.
Think Like a Criminal
At Passport, we not only go through the process of PCI-DSS Level 1 compliance, but we also work with “ethical hackers” to help us think like criminals and try to break into our systems. We like to call this “PCI Plus,” since we are going above and beyond to protect the core of our company.
This is part of safely and securely doing business today, and gives our team and our customers the peace of mind they need when handling credit card information.
Companies absolutely have to make security a part of their everyday operations and continue to monitor for the latest malware and other malicious activity.
Following are five key questions to ask before engaging with an outfit that processes credit cards:
1. Will my data be encrypted from end-to-end?
Understanding the flow of the credit card data from the moment a card is swiped or entered to the time it hits the bank will give you an idea of the potential exposure points in the process. Ask your vendor to provide you with detailed diagrams explaining the data flow and how the data are transferred. If they can’t answer this question, move on in your search.
2. Does your firm have a dedicated security professional?
If the answer is “yes,” this will help you assess the risk profile for the firm and give you greater confidence in their security and monitoring systems. Additionally, ask how many people in the firm have access to the environment where the credit cards are stored.
3. Will your company share its latest “Report on Compliance?”
Firms can receive PCI compliance but still have vulnerabilities exposed. You should find out what the firm did to remediate any findings and what they are doing to ensure that they have eliminated the risk.
4. Where are your data stored?
Location, location, location! Knowing if they use company-hosted servers or a “cloud” computing service such as Amazon Web Services is crucial to understanding the overall process and data exchanges. This is especially important if dealing with an international component when information may cross borders and making sure regulations are followed.
5. Which quality security assessor (QSA) conducted the PCI-compliance audit?
Determine how many audits the company performs in a given year. Review if they have qualified personnel to conduct the audits and whether any of the firms they audit have been breached. Again, this information will help you make a better decision when it comes to sharing your information.
Companies today can offer incredible services, products and programs, but if they are processing or storing your credit card data, then it only makes sense to ensure that the company has the proper foundation to handle your credit cards.
The answers to the above five questions can reveal either potential gaps in the system or a solid company to work and share your business with.
When your company makes the news for all the right reasons, it can bolster sales and customer loyalty. On the other hand, when headlines focus on a recent security breach at your company, it can erode customer trust and business for weeks, months and even years to come.
Bob Youakim, Founder and Managing Partner of Passport Parking, can be reached at robert.youakim@passportparking.com.
Target. Home Depot. Jimmy John’s. Staples. UPS. Michaels. P.F. Chang’s. What do these businesses, ranging across a variety of industries, all have in common?
It’s not increased earnings. These companies made headlines for their struggles with data breaches that exposed customers’ personal information, including credit card and Social Security numbers, and more.
In the parking industry, it hit even closer to home with companies such as SP+ and DataPark getting hacked and exposed. No matter what your line of business, or whether you’re a business owner or customer, these aren’t the headlines you want to read.
The scary thing is that many of these businesses had credit card information stolen despite having undergone the industry standard compliance process known as Level 1 PCI-DSS, or Payment Card Industry Data Security Standard. These security failures suggest that certification [alone] is not enough to prevent a cyber-attack.
Certainly, having an independent body such as PCI to set and govern the standards that protect credit card security is valuable, worthwhile and a step in the right direction. However, having gone through the process from both sides (as a former auditor and with [my company, Passport Parking] obtaining compliance), I am concerned that this certification is marketed as protecting consumer credit card information and preventing fraud.
The PCI standard is a good framework to follow, but relying on quarterly or annual audits and testing as the only security measures won’t cut it these days. That is the bare minimum. You need to get [reassurance] that those firms have an on-going process in place if you want to avoid the bad press and red tape that so many other companies have experienced.
Think Like a Criminal
At Passport, we not only go through the process of PCI-DSS Level 1 compliance, but we also work with “ethical hackers” to help us think like criminals and try to break into our systems. We like to call this “PCI Plus,” since we are going above and beyond to protect the core of our company.
This is part of safely and securely doing business today, and gives our team and our customers the peace of mind they need when handling credit card information.
Companies absolutely have to make security a part of their everyday operations and continue to monitor for the latest malware and other malicious activity.
Following are five key questions to ask before engaging with an outfit that processes credit cards:
1. Will my data be encrypted from end-to-end?
Understanding the flow of the credit card data from the moment a card is swiped or entered to the time it hits the bank will give you an idea of the potential exposure points in the process. Ask your vendor to provide you with detailed diagrams explaining the data flow and how the data are transferred. If they can’t answer this question, move on in your search.
2. Does your firm have a dedicated security professional?
If the answer is “yes,” this will help you assess the risk profile for the firm and give you greater confidence in their security and monitoring systems. Additionally, ask how many people in the firm have access to the environment where the credit cards are stored.
3. Will your company share its latest “Report on Compliance?”
Firms can receive PCI compliance but still have vulnerabilities exposed. You should find out what the firm did to remediate any findings and what they are doing to ensure that they have eliminated the risk.
4. Where are your data stored?
Location, location, location! Knowing if they use company-hosted servers or a “cloud” computing service such as Amazon Web Services is crucial to understanding the overall process and data exchanges. This is especially important if dealing with an international component when information may cross borders and making sure regulations are followed.
5. Which quality security assessor (QSA) conducted the PCI-compliance audit?
Determine how many audits the company performs in a given year. Review if they have qualified personnel to conduct the audits and whether any of the firms they audit have been breached. Again, this information will help you make a better decision when it comes to sharing your information.
Companies today can offer incredible services, products and programs, but if they are processing or storing your credit card data, then it only makes sense to ensure that the company has the proper foundation to handle your credit cards.
The answers to the above five questions can reveal either potential gaps in the system or a solid company to work and share your business with.
When your company makes the news for all the right reasons, it can bolster sales and customer loyalty. On the other hand, when headlines focus on a recent security breach at your company, it can erode customer trust and business for weeks, months and even years to come.
Bob Youakim, Founder and Managing Partner of Passport Parking, can be reached at robert.youakim@passportparking.com.
