As Howard Glavin tells it, this whole PCI thing starts to sound more like a job for Ernest Borgnine than it does the information technology department.
The Digital Dozen. Nuclear toxic waste. Shades of gray.
A former FBI agent turned global manager of PCI at IBM Internet Security Systems (ISS), Glavin turned some smooth analogies to help retailers swallow that tall glass of water called PCI compliance.
"Consider PCI data as nuclear toxic waste," Glavin said. "What you want to do as the business owner or business manager—the owner of the risk—is limit the number of people and things that can glow in the dark due to that waste."
Glavin headlined part one of CSD’s two-part PCI Compliance Webcast series last month, sponsored by Fiscal Systems. Joel Williams, Americas Group PCI sales executive for IBM Internet Security Systems (ISS), echoed Glavin’s admonitions as he headed up part two with Fiscal Systems’ Kevin Struthers.
The credit card industry has long since convened to map out security standards for merchants who deal with cardholder data in the course of business, and the volume of cards handled by each business scarcely matters, Glavin said. They’re all held to the same PCI data security standards (DSS).
"If you accept credit cards in any way, shape or form this applies to you," Glavin said. "From the old ‘ka-ching, ka-ching’ slide machine you may still have sitting around on your counter somewhere to the very sophisticated fuel pumps, and all of the point-of-sale points in between, PCI compliance is an issue."
Simply put: "Everything in your world that allows credit cards to process on your behalf or through your store’s network, you’re liable for that activity," Glavin said.
Know Your Responsibilities
Visa, MasterCard, Discover, American Express and Japan Credit Bureau (JCB) formed the PCI Security Standards Council in September 2006 to manage PCI DSS, though each card brand enforces the application standards on acquirers who administer the programs for merchants.
Noncompliance with the security standards can result in hefty fines, but there’s a catch: Noncompliant merchants may not even know when they’re being fined, Glavin said. "Acquirers will tell you sheepishly that it’s happening."
The fines are sometimes rolled up with processing fees or non-direct charges. The long and the short of it: Merchants agree to be compliant with PCI DSS the minute they sign the contract to process, store or transmit cardholder transactions and data, Glavin said.
The hardest part of PCI compliance, Struthers said, comes in identifying where the data is stored.
"People look at the logical side—where it is electronically," Struthers said. "But you have to look at the physical side, too. Where does it move? Where is it stored? Who are the store clerks that have access to all these credit card receipts?"
Merchants have to literally diagram the entire data-flow process: Where and how the information enters the business, where it comes to rest temporarily and long-term, how it’s stored and ultimately how it’s discarded.
While there’s endless chatter about threats from outside hackers, consider this: About 70% of data breaches come from inside the company, either through authorized users or employees who are unauthorized but still have access to the data. Another sizable portion of breaches comes from trusted third-party servicers or contractors, Struthers said.
It may all seem like a daunting task, but there’s a panoply of resources for merchants to latch onto, Glavin said.
What’s more, most of the initiatives to seek and maintain DSS compliance are just that–initiatives, rather than endless capital upgrades. Glavin estimated that DSS compliance is about 70% process-driven and 30% tools-driven.
Both PCI Compliance Webcasts can be viewed in their entirety for free at www.csdecisions.com.