An Ounce of Compliance is worth a Pound of Data Breach Cleanup
Posted on | May 13, 2010
Writen by | Ian Griffith
For most wine stores their efforts to secure information against possible theft have been driven by banks and the card issuing companies. The Payment Card Industry (PCI) launched its campaign to define security standards in 2006, and has been largely successful in promoting these standards to retailers and their vendors. Now a new source of data security compliance is beginning to make its way into the vocabulary of retailers as local government begins to legislate for personal information security.
The first of these is a Massachusetts law, cryptically named “201 CMR 17.00” (pdf), intended to protect the personal information of residents of the Commonwealth. Its direct impact should be limited for liquor store owners outside MA, given the restrictions on shipping wine into that state. However, this law likely signals an increased willingness by government to protect citizens from the “substantial harm or inconvenience” that results from unauthorized access to personal information. As such it is worth paying attention to the expectations of this law.
The state of Massachusetts has written a risk based law that looks at the size and scope of your business. For instance, it places fewer demands on a small business with a few employee records to protect, than an accounting firm that handles and stores client financial records. Liquor stores typically handle a large volume of credit card transactions, so it is likely this law and others like it will require an audit of several areas of your business.
The primary task involved in complying with 201 CMR 17 is writing an Information Security Policy (WISP) that outlines your security audit. The requirements of this audit are defined in the law and address the storage of personal information and any risks to the security of that information.
What is different about the MA law is the burden it places on the merchant to verify compliance by their vendors. A review of the information that the store presents to banks, merchant service providers, insurance companies, POS vendors, and accountants then leads to a request for a compliance statement from that vendor where personal (not corporate) information is involved. If the store passes information to a vendor they have selected, and that vendor then fails to protect the data, a portion of the liability for that breach rests with the retailer.
Mass stores that have been through this process usually find they have addressed the credit card security issues while preparing for PCI compliance and protecting against chargebacks. Nowadays most retailers accept signatures on capture pads where the card is swiped. For stores with paper signature slips the receipt only shows the last 4 digits of the card, the authorization code and the transaction ID used by the bank. When the credit card is stored in the POS it is encrypted and PCI requirements for deleting the expiration date and the CVV code are commonplace.
Personnel information also needs to be accounted for and secured which includes payroll statements, medical insurance forms, and bank statements. For stores that accept personal checks either from customers or employees, copies of those checks or bank statements that include check images need to be secured. When sales staff receive a phone order and then copy down the card number before ringing up the order, a policy needs to be define for how this task is performed in a secure way.
It is a rare person who enjoys auditing the data security of a store, but the security of this information is becoming an increasing priority and should become common practice in your store.
Comments
4 Responses to “An Ounce of Compliance is worth a Pound of Data Breach Cleanup”
Leave a Reply
Recent Updates
- Journalists vs. Bloggers: The Debate Continues
- Winery Ecommerce Points to Trends for Retailer Websites
- Design Choices that can Set Your Wine Store Apart
- An Ounce of Compliance is worth a Pound of Data Breach Cleanup
- Searching for the Intended Result
- What Exactly are the Rules for Collecting Emails?
- The Complications of Operating a Low Margin, High Volume Online Wine Store
- Why Reinvent the Wheel? Sticking with an Industry Specific Solution for your Retailer Website
- The Grape Identity Crisis
- If You Build It, Will They Come?: Creating a Successful Retail Wine Site
- Have you talked to your Wholesaler about Interstate Shipping?
- Virtual Vino session at Vino 2010 (Feb 4)
May 13th, 2010 @ 2:00 pm
[...] This post was mentioned on Twitter by Ian Griffith, Bevsites. Bevsites said: New post o @bevsites: An Ounce of Compliance is worth a Pound of Data Breach Cleanup http://bit.ly/bJb7cK [...]
May 19th, 2010 @ 10:43 pm
On the subject of securing personal information there has been a lot of talk about how Facebook has made it increasingly difficult to control your information. The subject of the above article is government regulation of social security, credit card, and driver’s license numbers that could lead to identity theft or fraud. However the reaction to having personal relationships and pictures available to 3rd party applications or advertisers has caused a strong backlash. The debate is well characterized on the comments to this blog post where one winery owner explains why he is leaving Facebook. http://www.pinotblogger.com/2010/05/17/why-i-quit-facebook-and-why-every-winery-should-as-well/#comments
May 21st, 2010 @ 8:50 am
Great article highlighting the need for everyone to have a much higher computer/data security awareness. Check a book we use at work, “I.T. WARS” (you can Google to it, a good part of it is available online at Google Books; Amazon too). It has a great Security chapter, and others that treat security, content management, policy, etc. Highly recommended. Great stuff.
May 21st, 2010 @ 1:00 pm
Janice, thanks for the comment. Your book recommendation looks like one we need to have on the shelf for the next time we review our vulnerabilities; as these issues are never addressed once and for all.