Preventing. Payment Card Fraud. Is your business protected?

Similar documents
Josiah Wilkinson Internal Security Assessor. Nationwide

Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking

What are the PCI DSS requirements? PCI DSS comprises twelve requirements, often referred to as the digital dozen. These define the need to:

Frequently Asked Questions

How To Protect Your Credit Card Information From Being Stolen

PCI Data Security Standards

University of Sunderland Business Assurance PCI Security Policy

PCI Compliance. Top 10 Questions & Answers

PCI Compliance Top 10 Questions and Answers

Payment Card Industry Security Standards PCI DSS, PCI-PTS and PA-DSS

How To Protect Visa Account Information

TNHFMA 2011 Fall Institute October 12, 2011 TAKING OUR CUSTOMERS BUSINESS FORWARD. The Cost of Payment Card Data Theft and Your Business

Becoming PCI Compliant

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

SecurityMetrics Introduction to PCI Compliance

Security Breaches and Vulnerability Experiences Overview of PCI DSS Initiative and CISP Payment Application Best Practices Questions and Comments

How To Protect Your Business From A Hacker Attack

Need to be PCI DSS compliant and reduce the risk of fraud?

Your Compliance Classification Level and What it Means

Visa U.S.A Cardholder Information Security Program (CISP) Payment Application Best Practices

PCI DSS FAQ. The twelve requirements of the PCI DSS are defined as follows:

The Cost of Payment Card Data Theft and Your Business. Aaron Lego Director of Business Development

Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008

Implementation Guide

PCI Security Compliance

Varonis Systems & The Payment Card Industry Data Security Standard (PCI DSS)

This appendix is a supplement to the Local Government Information Security: Getting Started Guide, a non-technical reference essential for elected

And Take a Step on the IG Career Path

PCI DSS COMPLIANCE DATA

Payment Card Industry Data Security Standards.

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire

Worldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS)

WHITE PAPER. PCI Basics: What it Takes to Be Compliant

PCI Standards: A Banking Perspective

University of Dayton Credit / Debit Card Acceptance Policy September 1, 2009

TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No MERCHANT DEBIT AND CREDIT CARD RECEIPTS

The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance

PCI PA - DSS. Point XSA Implementation Guide. Atos Worldline Banksys XENTA SA. Version 1.00

Payment Card Industry Compliance

PCI Compliance: How to ensure customer cardholder data is handled with care

PCI Compliance for Cloud Applications

Two Approaches to PCI-DSS Compliance

Cyber Security: Secure Credit Card Payment Process Payment Card Industry Standard Compliance

Presented By: Bryan Miller CCIE, CISSP

Payment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.

Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) Frequently Asked Questions

Project Title slide Project: PCI. Are You At Risk?

Payment Card Industry - Data Security Standard (PCI-DSS) Security Policy

Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements

PCI Data Security Standards. Presented by Pat Bergamo for the NJTC February 6, 2014

CREDIT CARD MERCHANT PROCEDURES MANUAL. Effective Date: 5/25/2011

Credit Card Processing Overview

A MERCHANTS GUIDE TO THE PAYMENT APPLICATION DATA SECURITY STANDARD (PA-DSS)

PLACE GROUP UK LONDON STUDENT HOUSING GROUP PAYMENT CARD INDUSTRY DATA SECURITY STANDARD COMPLIANCE STATEMENT PCI DSS (09) VERSION: 2009PCIDSSP4S01

FORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY

Merchant guide to PCI DSS

Achieving Compliance with the PCI Data Security Standard

An article on PCI Compliance for the Not-For-Profit Sector

Data Security for the Hospitality

AIS Webinar. Payment Application Security. Hap Huynh Business Leader Visa Inc. 1 April 2009

Payment Card Industry Data Security Standards Compliance

PCI Compliance: Protection Against Data Breaches

Why Is Compliance with PCI DSS Important?

PCI Quick Reference Guide

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance

PCI DSS 101 FOR CTOs AND BUSINESS EXECUTIVES

Payment Card Industry Data Security Standard

CardControl. Credit Card Processing 101. Overview. Contents

Credit Cards and Oracle: How to Comply with PCI DSS. Stephen Kost Integrigy Corporation Session #600

Appendix 1 Payment Card Industry Data Security Standards Program

Adyen PCI DSS 3.0 Compliance Guide

PAI Secure Program Guide

Information Security Services. Achieving PCI compliance with Dell SecureWorks security services

HOW SECURE IS YOUR PAYMENT CARD DATA?

PCI Assessments 3.0 What Will the Future Bring? Matt Halbleib, SecurityMetrics

Payment Card Security

SecurityMetrics. PCI Starter Kit

PCI DSS Presentation University of Cincinnati

PCI Data Security Standards (DSS)

PDQ Guide for the PCI Data Security Standard Self-Assessment Questionnaire C (Version 1.1)

Cyber - Security and Investigations. Ingrid Beierly August 18, 2008

PCI Quick Reference Guide

HOW SECURE IS YOUR PAYMENT CARD DATA? COMPLYING WITH PCI DSS

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures

Transcription:

BY TROY HAWES Preventing Payment Card Fraud Is your business protected? AT A GLANCE + The theft of credit card payment data by hackers is not limited to large corporations. + Many smaller companies fall prey to data thieves because they don t use proper security controls. + This can be avoided by complying with the Payment Card Industry Data Security Standard (PCI DSS). + The PCI DSS increases controls around cardholder data and provides a framework for preventing, detecting and reacting to security deficiencies. heft of payment card data is a major problem worldwide, and it's getting worse. Most merchants assume the risks lie with large corporations; however, statistics show that small and midsize merchants are at even greater risk. This is mostly because smaller merchants don t always implement the security controls necessary to protect sensitive customer data. While we haven t yet seen a large number of reported breaches in the wine industry, wineries increasing use of e-commerce will require even more diligence in securing credit card data. A study issued in February 2013 revealed that 78% of all breaches involving personal information and credit cards in 2012 occurred in the retail, food and beverage, and hospitality businesses mainly because these industries have similar network layouts and payment systems and often use the same software vendors. You may have heard of some of the recent major security incidents, such as the data breach at Global Payment Systems, a payment card processing company from which hackers exported up to 7 million credit card numbers in 2012, or the theft at TJX, the parent company of T.J. Maxx, Marshalls and other retail- Photo: Thinkstock 82 VINEYARD & WINERY MANAGEMENT Sept - Oct 2013 www.vwmmedia.com

ers, of 45 million credit and debit card account numbers. However, a number of smaller businesses have experienced similar breaches, including: + In January 2013, the E.J. Phair Brewing Company reported that a hacker had managed to access customer credit and debit cards once they d been run through the brewery s payment system. + In July 2012, oregonwine.com reported that 1,313 user names and passwords were stolen and posted publicly. + In December 2012, Sunview Vineyards reported the theft of an unencrypted laptop, which resulted in the exposure of employees confidential personal information. + In November 2011, winelibrary. com was hacked, possibly exposing customers credit card data. The breach was traced back to hackers in China. PROTECTING YOUR BUSINESS How can you protect your company from payment card fraud? By ensuring it complies with the Payment Card Industry Data Security Standard (PCI DSS). Created in 2006 by Visa, MasterCard, American Express, JCB and Discover, the standard increases controls around cardholder data and provides a framework for developing a robust process to prevent, detect and react to security deficiencies. Its requirements include: Goals Build and maintain a secure network. Protect cardholder data. Maintain a vulnerability management program. Implement strong access-control measures. Regularly monitor and test networks. Maintain an information security policy. that don t demonstrate compliance. You re required to comply with the PCI DSS if you accept debit or credit cards at your winery for things such as: + Tasting room and event activities + Retail store sales + Online sales + Wine club sales + Winery or vineyard tours Failure to comply with the standard can result in serious and longterm negative consequences for PCI DSS Requirements Install and maintain a firewall configuration to protect cardholder data. Don t use vendor-supplied defaults for system passwords and other security parameters. Protect stored data. Encrypt transmissions of cardholder data across open public networks. Use and regularly update antivirus software. Develop and maintain secure systems and applications. Restrict access to cardholder data by business need-to-know. Assign a unique ID to each person with computer access. Restrict physical access to cardholder data. Track and monitor all access to network resources and cardholder data. Regularly test security systems and processes. Maintain a policy that addresses information security for all personnel. The PCI DSS applies to all organizations that store, process or transmit cardholder data. Compliance is mandatory, and individual payment brands may impose financial or operational penalties on businesses your business, including monetary fines and loss of card-processing privileges. There s also the potential cost of losing customers and fixing the damage to your business' reputation. In addition to www.vwmmedia.com Sept - Oct 2013 VINEYARD & WINERY MANAGEMENT 83

deterring identity theft and protecting your customers, PCI DSS compliance can: + Enhance security controls in other areas of the business + Mitigate risks associated with technology and operations + Protect against negative press associated with data-security breaches + Ensure continued customer confidence in your payment process WHERE TO START Depending on the volume of card transactions and the nature of your business, the PCI DSS requires a compliance self-assessment or an independent audit by a qualified firm. To ensure ongoing compliance, merchants must meet a set of validation requirements that are reported to their acquiring bank. The validation steps and rules for assigning merchant levels vary somewhat by payment brand and your payment card environment. You can obtain your exact compliance requirements from your payment brand or bank. In the meantime, here are the basic steps to getting started: 1. Discover. Identify cardholder data and take inventory of your IT assets and business processes for payment card processing. 2. Map. Trace the flow of your card-processing environment from beginning to end. Note all systems that store, process or transmit cardholder data. 3. Assess. Analyze and assess all systems identified during the discovery and mapping processes for vulnerabilities that could expose cardholder data. Classify and rank the severity of the vulnerabilities found. 4. Remediate. Fix vulnerabilities and ensure only required cardholder data is stored. Don t store cardholder data if it s not needed. Prioritize remediation efforts on the highestrisk vulnerabilities. 5. Report. Submit remediation validation records and compliance reports to the bank and card brands with which you do business. PCI BEST PRACTICES As you work through your PCI compliance efforts, follow these best practices to help mitigate the risk of a data breach and promote safe handling and processing of credit card data: Know what, and what not, to store. Don t store full magnetic stripe or CVV2, CVC2 or CID data OZONE TECHNOLOGY FOR SANITIZATION Ozone sanitization saves water, energy, time and money. Winemaking Applications: Barrel sanitizing Surface and equipment sanitization Tank sanitizing Clean-in-place (CIP) of process and transfer piping Claristar - A Natural Solution for Tartrate Stability (KHT). Available exclusively from Scott Laboratories. Complete integrated, centralized ozone systems and portable carts for wineries. Pacific Ozone your ozone technology partner. (707) 747-9600 TM www.pacificozone.com Simple Proven Ozone Technology www.scottlab.com info@scottlab.com 84 VINEYARD & WINERY MANAGEMENT Sept - Oct 2013 www.vwmmedia.com

Log application and system activity. Log all cardholder data user access activities and tie those activities to a unique individual or system. Review system and security logs regularly. Develop secure applications. Use secure coding techniques based on OWASP guidelines. Protect wireless transmissions. Wireless transmissions of cardholder data should be encrypted, over both public and private networks. Safe handling and processing of credit card information requires adherence to security best practices. Photo: Thinkstock Choose the right software vendor. Vendors should have processes in place to identify security exploitations, test their applications for vulner- after payment card authorization is complete. Specifically, subsequent to authorization, service codes and discretionary data must be removed; however, account number, expiration date and name may be extracted and retained. PIN blocks must never be retained, even if encrypted, after verification of a transaction. This includes no storage in databases, flat files, logs, etc. Consider all possible locations for potential data storage. Protect stored data. The payment application should purge cardholder data temporarily stored by the application during processing. Stored cardholder data, specifically account numbers, should be encrypted, with strong encryption such as Triple-DES or AES. (This applies to anywhere cardholder data is stored, even outside the payment application). Make sure to protect the encryption keys used to encrypt card data. Provide secure password features. Systems, applications, PCs and servers should require a user name and complex password for all administrative access and access to cardholder data and payment applications. Make sure to encrypt application passwords. www.cleanwinery.com e-mail info@arsenterprises.com Available from ARS/Pressure Washer Company COLD SHOT CHILLERS 866-307-9731 FAX: 281-227-8404 (800) 735-9277 NEW & USED UNITS AVAILABLE All Major Credit Cards Accepted Low Temperature Glycol Chillers Custom Designed Cooling Applications from 2 to 100 Tons Most Machines Shipped in 2 Weeks or Less 5 Year Compressor Warranty Providing Cooling Solutions for 30+ Years Free Technical Support 24/7/365 www.waterchillers.com www.vwmmedia.com Sept - Oct 2013 VINEYARD & WINERY MANAGEMENT 85

abilities and develop timely security patches and upgrades. Establish policies and procedures. Codify limits to the storage and retention time of PCI data and document an IT security policy and incident response plan. Facilitate secure network implementation. The payment application shouldn t hinder your ability to implement it into a secure network environment. Nor should it interfere with use of network address translation, port address translation, traffic filtering network devices, antivirus protection or encryption. Don t store cardholder data on Internet-facing systems. The payment application shouldn t require that the database and web servers be on the same server or in the DMZ (perimeter network) with the web server. Facilitate secure remote access to the cardholder environment. Access should be authenticated using a two-factor mechanism, such as RADIUS or TACACS, with hardware tokens. Encrypt sensitive traffic over public networks. Use encryption techniques (such as Secure Socket Layer) when transmitting sensitive data over the Internet. Of course, given that the risks associated with not fully complying with the PCI DSS are high, it might be wise to retain a qualified security assessor (QSA), authorized by the PCI DSS governing body, to assess and validate your compliance. QSAs can provide many services, including a report on PCI DSS compliance or an attestation on compliance for a higher level of assurance; external network secu- rity scanning; penetration testing to assess vulnerabilities exposed to attack by hackers; self-assessment questionnaire assistance that helps internal audit staff assess systems and correct deficiencies; and remediation services that help fix known problems or security breaches. You can find more information on the PCI DSS on the PCI Council s website (www.pcisecuritystandards.org) or by talking with your card processor or bank. Troy Hawes is a manager at Moss Adams LLP, one of only 309 companies in the world to be certified as a QSA. Hawes provides IT consulting and audit services to a wide range of clients in the retail and hospitality industries. You can reach him at (206) 302-6529 or troy.hawes@ mossadams.com. Comments? Please e-mail us at feedback@vwmmedia.com. 86 VINEYARD & WINERY MANAGEMENT Sept - Oct 2013 www.vwmmedia.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information