I can’t remember the last time that I actually paid for something using cash. Can you? I use my plastic cards to pay for pretty much everything. They are more convenient than using a check, speed up transactions at stores and allow me to purchase goods on credit. However, the increasing use of plastic cards has also opened up new possibilities for criminal hackers who have turned their attention to stealing personal cardholder data.
If you were to poll 100 people on the street, most of them would believe that the information printed on the front of a credit or debit card is the most important stuff to protect. However, it’s actually the information encoded in “tracks” on the magnetic stripe on the back that thieves want to steal. This “track data” contains all of the information a criminal would need to make a counterfeit credit card, making it much more valuable on the black market.
As the use of credit and debit cards increased in the early 2000s, so did the importance of protecting cardholder data from being stolen by criminals. In 2000, Visa USA was the first payment card brand to introduce a program called the Card Information Security Program (CISP), which was designed to ensure the security of cardholder data as it was being processed and stored. In 2004, a new industry standard was created called the Payment Card Industry (PCI) Data Security Standard (DSS). This standard incorporated the CISP requirements and resulted from cooperation between the payment card brands to create common industry security requirements.
The Payment Card Industry Data Security Standard consists of 12 individual requirements that are made up of both technology-focused and operational process specifications, like implementing hardware and software firewalls, rotating passwords on a regular basis and using a POS application that has been validated against the Payment Application Data Security Standard (PA DSS).
Unfortunately, many businesses are unaware that it is mandatory to comply with these 12 requirements if the business processes, transmits or stores payment cards. The requirements are enforced by the individual payment card brands, such as Visa and MasterCard, and acquiring banks, such as Wells Fargo, First Data and others. The PCI DSS is the road map that all businesses must follow. However, businesses should be careful not to fall into the trap of thinking of compliance as a one-time achievement. As criminals continue to get more and more sophisticated, they are working on finding gaps and poking through weak spots in network, system and physical security in order to capture data.
With predictions that we will be a cashless society by 2012, the use of plastic isn’t going away. Protecting consumers and their cardholder data needs to quickly become a daily part of operations for any business. What steps is your business taking to protect your customers?
Tags: data security, Payment Card Industry Data Security Standard, PCI, PCI Compliance
