Blog

PCI Data Security: The #1 Misconception That Can Harm Your Business and Its Reputation

There’s a common misconception about PCI compliance, that, if not addressed, can seriously harm the very business and professional image you’ve worked so hard to build.

The misconception? That your business does not need to become PCI compliant and renew its certification each year.

It’s easy to see how this misconception could come about. Most small businesses use a business management software, and work with third-party merchant services provider, like Constellation Payments, to help run their business.

Yes, the software provider is PCI-certified, and the merchant services provider is also PCI-certified.

However, working with PCI-certified vendors does not exempt a business from having to show their own compliance. All businesses that participate in the payment transaction process must adhere to PCI compliance standards. The process includes more than running payments through your software.

The payment transaction process includes how credit card and debit card payment information is handled at the front desk in fitness clubs and gyms, at the counter in salons and spas, on a tablet for on-the-go businesses like personal training, at the register in a retail store, and so on.

How Do I Get My Business PCI-Certified?

To become PCI-certified, your business must complete the self-assessment questionnaire annually.

Fortunately, there are many resources to help with PCI certification – ones that make it a relatively pain-free process.

At Constellation Payments, as part of our solution, each merchant is enrolled in the PCI Plus Protection Program that’s provided by well-known Quality Security Assessor, Sysnet.

What’s great about this program is that you get hands-on help. The team at Sysnet will guide you through the entire process to help you complete your self-assessment questionnaire (SAQ). And they’ll confirm all answers.

Once the questionnaire is completed, you’ll be able to download your validation certificate and then send the certificate to your merchant processor to have on file.

What Happens if My Business Isn’t PCI-Certified?

1. You could lose the ability to accept credit cards.

If there are possible breaches of card association regulations, the card brands could revoke your right to process credit cards.

2. You could get hit with a big financial loss.

Non-PCI-compliant merchants can face fines of up to $500,000.00 in the event of a data breach.

In addition, PCI non-compliance can result in penalties ranging from $5,000 to $100,000 per month by the credit card companies. These penalties depend on the volume of clients, the volume of transactions, the level of PCI-DSS that the company should be on, and the time that the company has been non-compliant. For example, the penalties for a Level 1 company that has not met the requirements for more than 7 months, could reach up to $100,000 monthly.

Merchant level identification is based on the total volume of transactions per year. See VISA’s site for detail on each level and level requirements.

3. You could lose clients and business.

All it takes is one data breach – no matter its size – to damage your business financially and inflict irreparable damage to your business reputation.

4. You’ll be subject to monthly non-compliance fees.

US businesses that have not completed their annual self-assessment questionnaire, and have not demonstrated PCI-DSS compliance, are subject to a $59.99 per month non-compliance fee.

At Constellation Payments, this fee is meant as an incentive to complete your PCI compliance self-assessment questionnaire to ensure you’re handling and processing credit and debit card payments in a safe and secure manner. Once a merchant has completed their questionnaire demonstrating compliance, the fee drops to $0.

The Benefits Beyond Data Security

Being PCI compliant doesn’t just ensure your business is following the rules and regulations. PCI compliance also helps your business growth and reputation. Knowing your systems are secure, consumers can trust you with their sensitive information and have confidence that their information is safe and protected.

Confident customers that trust you are more likely to do business with you again and become loyal, repeat shoppers. They’re also likely to recommend you to their friends.

Another key benefit of compliance: it improves your reputation with acquirers (banks and financial institutions that process credit and debit cards on your behalf).

Compliance also improves your reputation with payment brands such as VISA and MasterCard.

The Small Time Investment to Become PCI Compliant is Well Worth the Big Gains in Consumer Confidence and Peace of Mind

While it does take some time and effort to become PCI-compliant, it’s well worth it to gain customer trust and confidence — and avoid catastrophic data breaches that can destroy your business.

Not PCI compliant? Make today the day you become certified to protect your livelihood.

Or as the PCI Security Standards Council website so aptly states, “You’ve worked hard to build your business — make sure you secure your success by securing your customers’ payment card data.”

Share this article:

Blog

The Equifax Hack: What You Need to Know, Steps to Keep Customer Data Safe

The Equifax Hack: What You Need to Know, Steps to Keep Customer Data Safe photo

By now we’ve all heard the story of how 143 million Americans (roughly half the US population) had their personal data compromised due to a breach at Equifax. It’s reasonable to be concerned about the security of your personal accounts. But what about your customers’ sensitive financial data?

With so many people affected, consumers are being inundated with admonitions to update their passwords, freeze their credit reports, and reconsider to whom they entrust their data.

Facing Facts

Whether you sell Point of Sale (POS) software or use it to run your business, it’s time to face facts. After all, if one of the largest custodians of consumer identity data can be hacked, POS software companies and the companies that use that software should assume the worst about their own vulnerability.

Fact 1: This breach was avoidable.

Equifax failed to implement a patch provided by a software vendor/partner for a known vulnerability discovered months prior to being exploited at Equifax.

Key Takeaway / Action Item

Remain vigilant and create mechanisms that ensure your software and any plugins, extensions, or API-connected applications are updated as soon as possible.

Automate where feasible. There are some risks to automated updates, including the possibility that an update could cause a system failure. Only you can determine if automation is right for your company, but it should at least be considered.

Many of North America’s largest POS software brands trust Constellation Payments as their gateway specifically because integration with our PCI Level 1 compliant gateway reduces PCI scope for them and their users.

Fact 2: Equifax fumbled the ball, fumbled the recovery of the ball, and fumbled the recovery of the fumbled recovery of the ball.

Equifax discovered the breach on July 29th, yet didn’t announce it until September 7th. They sent affected customers to a website that looked like a phishing site, and the mechanism for determining whether someone was a victim of the hack was easily spoofed by several security pros who entered dummy data; only to be told their dummy identities were likely compromised.

Finally, Equifax made the egregious decision to try to sell credit monitoring to those that received the bad news, making Equifax seem at best, callous and uncaring, and at worst, opportunistic and sleazy.

Key Takeaway / Action Item

Have a breach plan before you have a breach. Who would you call if this happened tomorrow? What would be the best, most effective measures to take upon learning that your company’s data was now available to anyone willing to purchase it on the dark web? Are there PR firms, Law Firms and Cybersecurity Firms you should have on speed dial?

One thing’s for certain the old saying that “a failure to plan is a plan to fail” never felt more fitting than it does in the case of Equifax.

Recommended reading: Check out: Your Cyber Incident Response Exercise. The article takes you through key questions and scenarios that should be discussed and documented with your team before a breach occurs. This preparation is invaluable. Having a plan in place will help you and your team properly respond to a breach in an organized manner, as opposed to being backed against the wall in a “what should I do …”, frenzied state during an actual breach.

Fact 3: Equifax put revenues ahead of security.

Financial disclosure documents show Equifax’s annual overhead had not increased in several years, while profits had increased steadily. It’s been speculated that Equifax may have been slow to fix the patch, because it would be very expensive, and might influence earnings. It seems obvious that a company with as much to protect as Equifax should be increasing its security budget steadily year after year.

Key Takeaway / Action Item

Dedicate a budget to cybersecurity, choose partners who have done the heavy lifting for you, review the budget and your plan at least once a year, and never settle for the minimum protections when it comes to sensitive customer data.

Bottom Line – Prevent, Prepare and Invest

Ensuring the security of your customers’ sensitive data should always be a top priority. Your customers trust you with their payment information. You should do whatever it takes to maintain that trust. Take the time to put proper security mechanisms in place.

Should a breach occur, know how to respond. A cyber incident response plan that can be used throughout your organization is something all businesses should have.

Lastly, never cut corners on data protection just to save some money. In the long run, it could cost you the business you’ve worked so hard to build.

Monitor image courtesy of Pixabay.com.

Share this article:

Blog

Cybersecurity Operations: Is Your Business Complying with These PCI-DSS Requirements?

Cybersecurity Operations: Is Your Business Complying with These PCI-DSS Requirements? photo

Did you know that the Payment Card Industry Data Security Standard (PCI-DSS) requires that specific cybersecurity operations procedures be conducted on a periodic basis?

Depending on whether you’re a merchant or a service provider — and the nature of how you deal with credit cards — these mandatory procedures may include (but are not limited to):

DAILY

  • Security log reviews

MONTHLY

  • Patching of software and system components

QUARTERLY

  • Internal and external vulnerability scans

SEMI-ANNUAL

  • Firewall rule reviews

ANNUAL

Many of the operations processes required by the PCI-DSS are not only required to be executed according to the specified period, but also when a change to the environment compels an update, such as a penetration test of a new application or vulnerability scan of a new technology environment.

Take Note! Maintaining Records is a Must

The challenge from a compliance perspective is that these procedures must not only be executed, but records must be maintained because you will need to be able to demonstrate that these procedures have taken place if audited or the subject of a breach investigation.

The PCI-DSS requires that these operations processes be executed according to documented procedures, and that the records demonstrate that these procedures were followed. Moreover, if an annual PCI-DSS assessment discovers that the execution of a periodic operations process was missed at some point over the last 12 months, that is potential grounds for your organization being deemed non-compliant.

Prepare to Succeed

For every minute spent organizing, an hour is earned.” ~ Benjamin Franklin

It is simply not feasible to meet these PCI-DSS requirements without a formal cybersecurity operations program. Your organization needs to develop a plan for this program.

Step 1: List the periodic cybersecurity operations tasks required, with the required frequency.

Step 2: Document the procedures for the execution of each task.

Step 3: Assign personnel to execute the procedures and document the results.

Step 4: Assign one or more different personnel to review the records to make sure the procedures are being done.

As you go through this exercise, you’ll likely discover that you aren’t sure how to interpret a particular operations requirement, or that you don’t have sufficient personnel to execute the procedures according to the prescribed frequency.

If that is the case, you may need to contract outside assistance to work with you to develop some of the procedures, or to handle some of the operations tasks. Maybe you’ll need to hire more personnel or reassign existing personnel away from lower priorities.

You won’t know until you develop the plan. And you won’t achieve PCI-DSS compliance without a formal cybersecurity operations program.

Dominic Genzano is the CEO and Founder of STIGroup, an Information Security Consulting firm that provides a full suite of Information Security services. In his role, Dominic leads the continued development of the CyberSecurity services strategy. As an established cybersecurity industry expert, and a principal consultant of STIGroup, he has led significant security initiatives for major private corporations and public sector entities. Dominic can be reached at dom@stig.net.

Share this article:

Blog

What Every Business Needs to Know About PCI Compliance (10 FAQs Answered)

What Every Business Needs to Know About PCI Compliance (10 FAQs Answered) photo

It seems that every day we hear more and more about data security breaches, foreign cyber-attacks, and consumer warnings about how to protect yourself from falling victim to fraud.

Now more than ever, it’s important to stay ahead of the curve and ensure you have the basics down when it comes to protecting your business’ sensitive payment data.

Below are the most frequently-asked PCI-related questions we receive from channel partners and merchants, along with answers. If you have a question that isn’t listed, please comment below or send an email to support@csipay.com.

What is PCI-DSS?

The Payment Card Industry Data Security Standard (PCI-DSS) — commonly referred to as just PCI — is a set of standards designed to ensure that all organizations that accept, process, store or transmit credit card information maintain a secure environment.

What Businesses are Required to Be PCI-Compliant?

ALL BUSINESSES that participate in the payment transaction process are expected to adhere to the PCI compliance standards. This includes:

  • Businesses of all sizes
  • Point of sale providers
  • Gateway providers
  • Financial institutions
  • Payment processors and acquirers
  • Hardware and software developers

My Software Provider is PCI-Certified. Do I Need to Maintain PCI Compliance Myself?

Yes. Working with a software provider that is PCI-certified, or a merchant services provider, like Constellation Payments, that is PCI-certified, does not exempt a business from having to show compliance.

Businesses handle credit card information at their front desks and kiosks every day. All businesses are part of the payment transaction flow and therefore required to comply and show compliance through a certification process.

All the entities listed above must demonstrate and validate compliance.

How Do I Become PCI-Certified?

1) Review the 12 PCI-DSS requirements on the Constellation Payments website. This list can be used as a checklist for assessing your IT assets and business processes.

2) Complete the self-assessment questionnaire (SA Q) and confirm all answers.

Businesses with Constellation Payments will be provided with step-by-step instructions on how to register with a Qualified Security Assessor (QSA), such as Sysnet.

3) Download your validation certification.

4) Send the certificate to your merchant processor to have on file.

How Often Do I Need to Complete the PCI Questionnaire?

You are required to complete the PCI questionnaire every year to stay compliant.

Who Can Help Me with my PCI Compliance Validation?

At Constellation Payments, we’ll guide you through the entire process to make sure your PCI compliance certification experience is smooth and easy.

We have partnered with well-known Qualified Security Assessors to provide all businesses with a PCI toolkit to help with the annual PCI compliance validation process.

Are There Additional Services Available to Assist with PCI Compliance?

Yes. We have an enhanced PCI solution, called PCI Plus, available to all businesses.

PCI Plus offers a white-glove approach to PCI compliance. Through the solution, you receive:

  • An interactive customer PCI validation experience
  • File Integrity Monitoring (FIM)
  • Anti-Virus Protection (AV)
  • Unauthorized Device Monitoring

These are just a few of the benefits. To learn more, email support@csipay.com or call 888.244.2160.

What’s a Security Vulnerability Scan?

A vulnerability scan identifies security issues such as storing of any credit card data, misconfigured networks or outdated versions of software.

Who Needs to Complete a Security Vulnerability Scan and How Often Does the Scan Need to be Completed?

Businesses that have external-facing IP (Internet Protocol) addresses that connect to their cardholder data are required to complete a quarterly vulnerability scan by an Approved Scanning Vendor. If vulnerabilities are found, the business is required to go through a remediation process to fix the vulnerabilities.

What is Breach Security Coverage?

Maintaining PCI compliant status will help to reduce the risk of a data security breach, but it doesn’t guarantee a breach event won’t occur.

The penalties for a data security breach can have a devastating financial impact to a business.

Our PCI program solution at Constellation Payments includes data breach coverage, which provides some financial relief to businesses that experience a data security breach.

In the event of a breach, you should contact the Constellation Payments’ Support team who will then work with Elavon to log the event and work with risk/loss prevention to start the investigative process.


Jennifer Sumii is Manager of Partner Relations for Constellation Payments. Within her role, she oversees critical company partnerships, including partners with custom integrations, large core processing accounts, and processor or origination companies. Her background includes extensive processing and banking experience, specifically FI/ISO/ICA relationship management, corporate and commercial banking relationship management, national account management, and new ISO/MSP implementation and training. You can reach Jennifer at jsumii@csipay.com.

Share this article:

Blog

Your Cyber Incident Response Exercise

The Payment Card Industry Data Security Standard (PCI-DSS) requires organizations that accept credit card payments to:

  • “Create an incident response plan to be implemented in the event of a system breach”
  • “Review and test the plan” (minimally on an annual basis)
  • “Provide appropriate training to staff with security breach responsibilities”
  • “Develop a process to modify and evolve the incident response plan according to lessons learned and to incorporate industry developments”

Most organizations that accept credit card payments aren’t in the business of cybersecurity. The idea of a data breach is difficult to grasp.

What are the ways that it could happen? How can you guard against it? How would you know if a breach happened? What would you do about it if you knew a breach had occurred? What would be the consequences to your business?

Required Cybersecurity Controls

The PCI-DSS requires that your organization implement a specific set of cybersecurity controls, based on how your organization deals with credit card information. These cybersecurity controls are intended to prevent a security breach that would put credit card information at risk, and allow you to detect a breach should it occur.

But data breaches happen every day, and often go undetected for extended periods of time, even when the required cybersecurity controls are in place.

In many cases, organizations are completely unaware that a data breach may have occurred until their merchant bank or payment processor contacts them to inform them that fraud was reported for a large number of credit cards that were recently used to transact with their business.

Your Organization’s Vital Incident Response Test

The incident response test required by the PCI-DSS, if conducted properly, provides your organization with:

1. Invaluable preparation to respond to a suspected or confirmed breach

2.  An effective means of continually improving your organization’s cybersecurity program to prevent a breach from occurring in the first place

In the context of PCI certification, and general cybersecurity best practices, an “incident response test” is essentially a tabletop exercise: a meeting where a few potential breach scenarios are discussed in some detail with the relevant members of your organization, and potentially third-party service providers who would be involved in the case of a breach.

What Would You Do If …

The exercise of discussing potential breach scenarios is vital because you don’t want the first time your organization asks “what should I do if …” to be during an actual breach. These scenarios must be discussed among the team before a breach occurs, at a ’safe distance’ from an actual event so that the members of your team can think clearly.

Questions come up during such exercises that change your perspective and allow your organization to significantly improve your incident response capability with relatively small investments of time and money:

  • Who are you required to notify? Banks, processors, business partners, customers?
  • Are you sure that you have the correct contact information?
  • What would you tell them?
  • Where would you find the information you need from the systems to find out what happened?
  • Would you understand what you were looking at?
  • How would you determine the extent of the breach, or even make certain that there was a breach?
  • Do you have the tools that you would need to even try any of this?
  • If the response to such a breach is outside of your capabilities, who would you call? Do you have an arrangement in place to get the help when you need it?

These can be scary questions of course, but it’s better to ask them now, and to have thought them through to a reasonable degree ahead of time so that you can be prepared to act decisively and responsibly, even if that just means knowing who to call.

This is the intent of the incident response planning and testing requirements of the PCI-DSS: to prepare your organization as best as possible to minimize the damage of a security breach, thereby (hopefully) minimizing the amount of credit card information put at risk.

Taking Proactive Steps

The real value of a cyber incident response exercise is when the questions start to move in a proactive direction:

  • How would you detect such a breach?
  • How can you alter your security monitoring processes to detect such breach activity faster?
  • Now how can you adjust existing security controls, or implement new ones, to better prevent such a breach from occurring in the first place?

These are the types of questions that result in the continued improvement of your cybersecurity program, and take you past just ‘checking the box’ for your PCI-DSS certification, to a place where you are actually protecting your information.

Even if you work with a company like Constellation Payments for payment processing/merchant services that reduces your PCI scope, your organization should conduct an incident response test to ensure that the proper safeguards are in place at the organization/employee level.

I hope this article gives you a good starting point to develop your own incident response test. If you have any questions on performing an incident response test at your organization, or questions around cybersecurity, feel free to reach out to me at dom@stig.net.

Dominic Genzano is the CEO and co-founder of STIGroup, an Information Security Consulting firm that provides a full suite of Information Security services. In his role, Dominic leads the continued development of the CyberSecurity services strategy. As an established cybersecurity industry expert, and a principal consultant of STIGroup, he has led significant security initiatives for major private corporations and public sector entities. Dominic can be reached at dom@stig.net.

Share this article:

Blog

The Data Security Solution Every Member Management Software Vendor Should Have in Place

We work with a lot of software vendors in the member management space.

Their customers — gym owners, personal trainers, association managers — use software like EZFacility, myVolo and 123Signup to streamline business operations and automate key tasks.

One of the most critical needs for these business professionals — due to the nature of their operation — is the need to have secure payment processing integrated with their software.

These fitness professionals and association executives need to have the ability to process recurring credit and ACH payments through their software on a continual basis, so that they can charge for items like fitness memberships, association dues, and personal training session packages.

Rather than input the member’s credit or bank draft account each and every month when a membership payment is due, the software needs to store the account information for ongoing use. Problem is … storing sensitive payment data leaves the data at great risk of being stolen.

That’s where tokenization comes in.

What is Tokenization?

Much like emptying a treasure chest of its valuables, tokenization replaces a cardholder’s primary account number (credit card number) or bank account number with a long string of random numbers that is useless to a thief if stolen.

That long string of random numbers, the token, is used when processing payments. The customers’ actual payment data is sent to a highly-secure encryption appliance and stored, eliminating the need for the merchant to store the payment data on their internal network.

In other words, fitness gyms, associations and other membership-based businesses can go about their business — processing payments the first of every month or whatever their cycle. At the time of payment, the token is retrieved and used for transactions in lieu of the cardholder’s primary account number/credit card number or bank account number.

More Benefits to Tokenization:

1. Because merchants don’t have to store the sensitive data themselves, their Payment Card Industry (PCI) requirements are reduced, which ultimately means less questions on the merchant’s annual PCI survey, reduced liability and reduced costs associated with PCI compliance.

2. Tokenization protects businesses from internal theft — from employees, suppliers, vendors or anyone else connected to the software and its data.

How is Tokenization Different than Encryption?

Encryption masks data using an algorithm to scramble credit card data so that it can’t be read by anyone without a proper key. However, unlike tokenization, that data is on the company’s internal network. So while hacking and being able to use encrypted payment data is minimal, there is still a hole and hackers could potentially reverse-engineer the data to reveal credit card information.

The Best Course of Action …

The tokenization technology we use with our software partners employs state-of-the-art encryption, utilizing a multiple-authority architecture, public-key cryptography and a FIPS 140-2 Level 3 certified Hardware Security Module to store private keys.

At Constellation Payments, we strongly advocate a 3-prong data security approach that includes 1) tokenization AND ALSO 2) point-to-point encryption to encrypt data from the moment it enters the point of sale software and 3) EMV technology to reduce card fraud resulting from counterfeit, lost or stolen cards.

This layered data security method is the best course of action for all software that includes point of sale and recurring membership and/or subscription-based payment processing capabilities.

If you have any questions about our tokenization process, or how Constellation Payments can assist you by delivering payment processing solutions integrated with your point of sale software, feel free to give us a call at 888.248.7060 or send an email to sales@csipay.com.

Angela Summa is the Vice President of Constellation Payments. She is responsible for business development, implementation, channel partner support, and merchant support. Her goal is to ensure businesses offer the highest level of payment processing security and ease of processing to customers. You can reach Angela by sending an email to asumma@csipay.com.

Image Courtesy of Pixabay

grey-divider

Subscribe-to-Constellation-Payments-Blog-How-Payments-Are-DoneSubscribe to our Blog, How Payments Are Done!

Get continual educational guidance and strategies on important payment topics including: data protection, tokenization, EMV, and more.

Visit HowPaymentsAreDone.com, enter your email address into the ‘Subscribe to Our Blog’ box and we’ll send our best advice to your inbox.

Share this article: