This can be accomplished with encryption and tokenization. Communications – As cardholder information is collected on any level of the PCI Compliance Pyramid, the communication channel used to move it to the next layer should also be secure.Older security protocols such as SSL have proven to be vulnerable to hackers and should be updated as soon as possible. The PCI Security Council has mandated that all payment connectivity utilize a minimum-security protocol of TLS 1.2 by June 2018. Gateways/Processors – Businesses need to stay up-to-date with the ways their payment gateway is connecting to the various processors. Tokenization and encryption services help protect businesses by removing all data from a single location. Today, solutions allow customers to continue to use their traditional business line systems locally, but keep the sensitive data offsite in a secure and encrypted data storage service. Data Storage – Removing sensitive data from the local environment should be priority number one.A better solution for sensitive cardholder data is to use a solution that directs that information to a secure outside source using technology such as an iFrame window. Some may use local encryption to store sensitive data, but the data still resides on the merchant’s computers and networks making them a target for hackers. Applications – Most on-premises software applications store information in local databases.The PCI Security Council has recently released the P2PE SAQ for these types of environments and it is minimal compared to more comprehensive PCI SAQs. The benefit to merchants employing hardware-level encryption is reducing the PCI exposure level. Information is encrypted at the hardware layer and protects it as it travels through the computing device and other levels. If using a standard computer program such as a POS program or Accounting system, P2PE encrypted devices such as credit card readers and keyboards can be used to safeguard the cardholder’s information at the source of entry. Examples include a hacked credit card reader that collects and transmits credit card information, malware, viruses, keyboard loggers, etc. Merchants need to ensure that the devices used to enter credit card information are not physically compromised. This could be a cell phone, IoT, credit card swiper, or keyboard connected to a computer. Hardware – Most software applications run on some type of computing hardware device.All layers and communication channels must be protected to help ensure hackers cannot steal information along the path of a payment transaction or steal an entire database of cardholder data. Connecting the layers together are communication channels. This pyramid is a representation of the various layers a typical payment software solution may employ. Merchants need to be aware of this and ensure that each layer has the proper security to protect against hackers and secure private cardholder data. That price is PCI compliance and protecting private cardholder data.Ī common payment solution today most likely employs technology on each layer of the PCI Compliance Pyramid. These innovations have provided great cost savings to merchants in equipment, communication, and automation, but come with a price many merchants haven’t realized. Direct connections have given way to the cheap interconnectivity of the Internet, costly dedicated hardware has been replaced by software, and business line software solutions have automated payment acceptance. The configuration consisted of a terminal that included software and direct connection (POTS) to the payment processor.īut as the Internet, software and mobile have proliferated, dedicated hardware solutions have been replaced. Before the Internet, processing a credit card by using a dedicated terminal was relatively safe. The first thing merchants must do to protect themselves is understand their environment when collecting a credit card. In a case like this, the merchant will experience fines, loss of reputation/business, and possible loss of ability to accept credit cards as a form of payment altogether. The responsibility to protect private cardholder data falls fully on the merchant. We all know how this story goes – “may have” turns into “a small number of customers were affected” turns into “all customers should monitor their credit cards and credit reports for suspicious activity.” When will this stop? Only when merchants understand the responsibility they signed up for when agreeing to accept credit cards as a form of payment. Another local company recently sent out notices to customers stating they “may have” experienced a breach of their system.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |