Preventing. Payment Card Fraud. Is your business protected?

Transcription

1 BY TROY HAWES Preventing Payment Card Fraud Is your business protected? AT A GLANCE + The theft of credit card payment data by hackers is not limited to large corporations. + Many smaller companies fall prey to data thieves because they don t use proper security controls. + This can be avoided by complying with the Payment Card Industry Data Security Standard (PCI DSS). + The PCI DSS increases controls around cardholder data and provides a framework for preventing, detecting and reacting to security deficiencies. heft of payment card data is a major problem worldwide, and it's getting worse. Most merchants assume the risks lie with large corporations; however, statistics show that small and midsize merchants are at even greater risk. This is mostly because smaller merchants don t always implement the security controls necessary to protect sensitive customer data. While we haven t yet seen a large number of reported breaches in the wine industry, wineries increasing use of e-commerce will require even more diligence in securing credit card data. A study issued in February 2013 revealed that 78% of all breaches involving personal information and credit cards in 2012 occurred in the retail, food and beverage, and hospitality businesses mainly because these industries have similar network layouts and payment systems and often use the same software vendors. You may have heard of some of the recent major security incidents, such as the data breach at Global Payment Systems, a payment card processing company from which hackers exported up to 7 million credit card numbers in 2012, or the theft at TJX, the parent company of T.J. Maxx, Marshalls and other retail- Photo: Thinkstock 82 VINEYARD & WINERY MANAGEMENT Sept - Oct

2 ers, of 45 million credit and debit card account numbers. However, a number of smaller businesses have experienced similar breaches, including: + In January 2013, the E.J. Phair Brewing Company reported that a hacker had managed to access customer credit and debit cards once they d been run through the brewery s payment system. + In July 2012, oregonwine.com reported that 1,313 user names and passwords were stolen and posted publicly. + In December 2012, Sunview Vineyards reported the theft of an unencrypted laptop, which resulted in the exposure of employees confidential personal information. + In November 2011, winelibrary. com was hacked, possibly exposing customers credit card data. The breach was traced back to hackers in China. PROTECTING YOUR BUSINESS How can you protect your company from payment card fraud? By ensuring it complies with the Payment Card Industry Data Security Standard (PCI DSS). Created in 2006 by Visa, MasterCard, American Express, JCB and Discover, the standard increases controls around cardholder data and provides a framework for developing a robust process to prevent, detect and react to security deficiencies. Its requirements include: Goals Build and maintain a secure network. Protect cardholder data. Maintain a vulnerability management program. Implement strong access-control measures. Regularly monitor and test networks. Maintain an information security policy. that don t demonstrate compliance. You re required to comply with the PCI DSS if you accept debit or credit cards at your winery for things such as: + Tasting room and event activities + Retail store sales + Online sales + Wine club sales + Winery or vineyard tours Failure to comply with the standard can result in serious and longterm negative consequences for PCI DSS Requirements Install and maintain a firewall configuration to protect cardholder data. Don t use vendor-supplied defaults for system passwords and other security parameters. Protect stored data. Encrypt transmissions of cardholder data across open public networks. Use and regularly update antivirus software. Develop and maintain secure systems and applications. Restrict access to cardholder data by business need-to-know. Assign a unique ID to each person with computer access. Restrict physical access to cardholder data. Track and monitor all access to network resources and cardholder data. Regularly test security systems and processes. Maintain a policy that addresses information security for all personnel. The PCI DSS applies to all organizations that store, process or transmit cardholder data. Compliance is mandatory, and individual payment brands may impose financial or operational penalties on businesses your business, including monetary fines and loss of card-processing privileges. There s also the potential cost of losing customers and fixing the damage to your business' reputation. In addition to Sept - Oct 2013 VINEYARD & WINERY MANAGEMENT 83

3 deterring identity theft and protecting your customers, PCI DSS compliance can: + Enhance security controls in other areas of the business + Mitigate risks associated with technology and operations + Protect against negative press associated with data-security breaches + Ensure continued customer confidence in your payment process WHERE TO START Depending on the volume of card transactions and the nature of your business, the PCI DSS requires a compliance self-assessment or an independent audit by a qualified firm. To ensure ongoing compliance, merchants must meet a set of validation requirements that are reported to their acquiring bank. The validation steps and rules for assigning merchant levels vary somewhat by payment brand and your payment card environment. You can obtain your exact compliance requirements from your payment brand or bank. In the meantime, here are the basic steps to getting started: 1. Discover. Identify cardholder data and take inventory of your IT assets and business processes for payment card processing. 2. Map. Trace the flow of your card-processing environment from beginning to end. Note all systems that store, process or transmit cardholder data. 3. Assess. Analyze and assess all systems identified during the discovery and mapping processes for vulnerabilities that could expose cardholder data. Classify and rank the severity of the vulnerabilities found. 4. Remediate. Fix vulnerabilities and ensure only required cardholder data is stored. Don t store cardholder data if it s not needed. Prioritize remediation efforts on the highestrisk vulnerabilities. 5. Report. Submit remediation validation records and compliance reports to the bank and card brands with which you do business. PCI BEST PRACTICES As you work through your PCI compliance efforts, follow these best practices to help mitigate the risk of a data breach and promote safe handling and processing of credit card data: Know what, and what not, to store. Don t store full magnetic stripe or CVV2, CVC2 or CID data OZONE TECHNOLOGY FOR SANITIZATION Ozone sanitization saves water, energy, time and money. Winemaking Applications: Barrel sanitizing Surface and equipment sanitization Tank sanitizing Clean-in-place (CIP) of process and transfer piping Claristar - A Natural Solution for Tartrate Stability (KHT). Available exclusively from Scott Laboratories. Complete integrated, centralized ozone systems and portable carts for wineries. Pacific Ozone your ozone technology partner. (707) TM Simple Proven Ozone Technology info@scottlab.com 84 VINEYARD & WINERY MANAGEMENT Sept - Oct

4 Log application and system activity. Log all cardholder data user access activities and tie those activities to a unique individual or system. Review system and security logs regularly. Develop secure applications. Use secure coding techniques based on OWASP guidelines. Protect wireless transmissions. Wireless transmissions of cardholder data should be encrypted, over both public and private networks. Safe handling and processing of credit card information requires adherence to security best practices. Photo: Thinkstock Choose the right software vendor. Vendors should have processes in place to identify security exploitations, test their applications for vulner- after payment card authorization is complete. Specifically, subsequent to authorization, service codes and discretionary data must be removed; however, account number, expiration date and name may be extracted and retained. PIN blocks must never be retained, even if encrypted, after verification of a transaction. This includes no storage in databases, flat files, logs, etc. Consider all possible locations for potential data storage. Protect stored data. The payment application should purge cardholder data temporarily stored by the application during processing. Stored cardholder data, specifically account numbers, should be encrypted, with strong encryption such as Triple-DES or AES. (This applies to anywhere cardholder data is stored, even outside the payment application). Make sure to protect the encryption keys used to encrypt card data. Provide secure password features. Systems, applications, PCs and servers should require a user name and complex password for all administrative access and access to cardholder data and payment applications. Make sure to encrypt application passwords. info@arsenterprises.com Available from ARS/Pressure Washer Company COLD SHOT CHILLERS FAX: (800) NEW & USED UNITS AVAILABLE All Major Credit Cards Accepted Low Temperature Glycol Chillers Custom Designed Cooling Applications from 2 to 100 Tons Most Machines Shipped in 2 Weeks or Less 5 Year Compressor Warranty Providing Cooling Solutions for 30+ Years Free Technical Support 24/7/ Sept - Oct 2013 VINEYARD & WINERY MANAGEMENT 85

5 abilities and develop timely security patches and upgrades. Establish policies and procedures. Codify limits to the storage and retention time of PCI data and document an IT security policy and incident response plan. Facilitate secure network implementation. The payment application shouldn t hinder your ability to implement it into a secure network environment. Nor should it interfere with use of network address translation, port address translation, traffic filtering network devices, antivirus protection or encryption. Don t store cardholder data on Internet-facing systems. The payment application shouldn t require that the database and web servers be on the same server or in the DMZ (perimeter network) with the web server. Facilitate secure remote access to the cardholder environment. Access should be authenticated using a two-factor mechanism, such as RADIUS or TACACS, with hardware tokens. Encrypt sensitive traffic over public networks. Use encryption techniques (such as Secure Socket Layer) when transmitting sensitive data over the Internet. Of course, given that the risks associated with not fully complying with the PCI DSS are high, it might be wise to retain a qualified security assessor (QSA), authorized by the PCI DSS governing body, to assess and validate your compliance. QSAs can provide many services, including a report on PCI DSS compliance or an attestation on compliance for a higher level of assurance; external network secu- rity scanning; penetration testing to assess vulnerabilities exposed to attack by hackers; self-assessment questionnaire assistance that helps internal audit staff assess systems and correct deficiencies; and remediation services that help fix known problems or security breaches. You can find more information on the PCI DSS on the PCI Council s website ( or by talking with your card processor or bank. Troy Hawes is a manager at Moss Adams LLP, one of only 309 companies in the world to be certified as a QSA. Hawes provides IT consulting and audit services to a wide range of clients in the retail and hospitality industries. You can reach him at (206) or troy.hawes@ mossadams.com. Comments? Please us at feedback@vwmmedia.com. 86 VINEYARD & WINERY MANAGEMENT Sept - Oct