Combat Fraud or Face a Fine: PCI compliance Coming Soon to a Retailer Near You
Posted on | August 1, 2008
Written by | Ian Griffith
Story by Ian Griffith on 8/1/2008
There used to be a myth about credit card fraud that was used to reassure nervous online shoppers. The gist was that more credit card theft came from dumpster divers who harvested credit card receipts from physical stores than from hackers stealing card numbers from merchants online. If this tale ever was true it came from an innocent time before the scale of recent security breaches at some of the largest retailers.
Credit card fraud amounted to $1.24 billion in losses for U.S. financial institutions in 2006. According to the Nilson Report, an industry newsletter based in Carpinteria, CA, the largest factor in these losses was identified as hackers who successfully broke into the networks of big retailers to steal credit card data. The past three years has seen big growth in these attacks as organized crime has used “SQL injections” and “packet sniffers” to take advantage of infrastructure vulnerabilities. As industry standards improve we can expect hackers to shift their attention to smaller merchants.
Visa is taking the lead in pressing credit card processors and their retailer customers to comply with the Payment Card Industry Data Security Standard, known as PCI. Given the scale of the exposure, it is not surprising that initial attention has been concentrated at the largest retailers. The PCI standard is not a fixed set of rules that protect your store from being hacked. Instead, it represents a methodology with twelve requirement areas that are flexible to each store's situation.
View PCI as a tool to help you mitigate the risk of a security breach. Recently, Hannaford Supermarkets, which had already been compliant for a year, was the victim of a security breach exposing 4.2 million card numbers. If there is a breach and customer information is compromised, your store procedures will be reviewed to determine your liability for it. As a result, PCI compliance should be managed with the same attention as other risks like shrinkage, fraud and chargeback rates. The upside is that maintaining a report of compliance may entitle you to preferential interchange rates.
Maintaining Security Standards
Very few wine stores process more than six million credit card transactions per year; below this threshold you qualify to conduct a self-assessment questionnaire, combined with a quarterly network scan conducted by a third party. The questionnaire seeks to identify individuals at the store who are responsible for compliance and to help the store plan and maintain security standards.
The biggest issue that PCI auditors are looking for is the security of credit card data, especially if it is being transmitted across public networks. The following questions provide flavor of what to expect:
- Are you storing credit card information on your POS or your website? If so, is your network protected by a firewall? Is the credit card information on your website encrypted?
- How current is your POS system? It may be storing credit card information without your knowledge.
- Are you storing prohibited information like the CVV2 code?
- Is your computer hardware vulnerable? When did you last update your machines? Are the servers that contain credit card information in a locked room?
- Has your software been updated with the latest security patches?
- When were the passwords in your store last updated? Do you have different levels of password access depending on an employee's need for access to sensitive data?
- Does your staff present any risks to the security of stored credit card information?
As with the Hannaford example, PCI compliance does not guarantee against a security breach. Increasingly, retailers and their credit card processors are looking beyond compliance to further minimize their exposure. The former CIO of Hannaford, Bill Homa, is a fan of simplifying the security battle and he prefers to presume that the bad guys will penetrate the store's network. Having been burned, he takes the defensive position that credit card transactions should be encrypted from end to end, not just when transmitted over a public network.
Credit card processors are also concerned about this point of vulnerability. As Henry Helgeson of Merchant Warehouse says, “with no data to be hacked, the PCI compliance process becomes much more streamlined and affordable for the smaller merchant.” Helgeson's company recently released a product that encrypts card information at the point where it is swiped in the store.
While I was always nervous about taking phone orders which required writing out the credit card number on a scrap paper,the shop's practice of storing repeat customers' card numbers in the POS was regarded as offering an extra service, encouraged by both customer and the store owner, rather than as security risk. However, in light of Visa's estimate that more than eighty percent of the instances of unauthorized access to card data have involved small merchants, it is time to focus on the real threat and not the myth.
To learn more about how the Beverage Media can help you Sell Wine Online with a website for your store, contact Ian Griffith at 212 571-3232 x318….
Comments
2 Responses to “Combat Fraud or Face a Fine: PCI compliance Coming Soon to a Retailer Near You”
Recent Updates
- Key Transitions in the Growth of a Wine Store Website
- Catching the Buzz: Mining Digital Word of Mouth
- As Online Wine Sales Grow So Do The Challenges
- Chasing the Omni-Present Consumer
- Social Commerce starts to get interesting
- How can improved UPC standards help retail wine stores?
- How Market Conditions Affect Wine Sales Online
- Retailing Means Retooling: Smart Wine Merchants are Not Standing Pat
- Google Shifts Retailers’ Attention to 12 digits
- The Local and Mobile Future of eCommerce
- Massachusetts ABCC: Alcohol and Groupons Don’t Mix
- Social Media at Vino 2011
May 13th, 2010 @ 12:33 pm
[...] [...]
June 16th, 2010 @ 9:29 am
[...] Does my website need to be PCI compliant? [...]