PCI DSS Compliance - The Truth Hurts!

The more merchant service providers I talk with, the more amazed I am about how most sales reps have no knowledge of the Payment Card Industry Data Security Standard (PCI DSS). This is such a shame, since it is a huge disservice to the clients they serve. That may sound harsh, but they make a living as the "expert" the merchants turn to for their credit card needs, while the "expert" does not understand the fundamental principles of the PCI DSS and how it applies to merchants.

There are many compelling reasons for Small and Medium Businesses (SMBs) to implement Information Security policies. Specifically, the PCI DSS is arguably the most significant liability facing merchants today and most are completely unaware of it. The PCI DSS applies to every organization that processes credit or debit card information, including merchants and third-party service providers that store, process or transmit credit card/debit card data. If you are a merchant, PCI compliance is not a request, nor a suggestion - it is now a requirement, regardless of your size or location.

For a merchant, the liabilities resulting from being non-PCI DSS compliant at the time of an incident include:

• Fines from the PCI
• Being held accountable for the complete amount of fraudulent charges
• Being charged for the costs associated with the breach (e.g. legal fees, card reissue fees, etc)
• Possible cancellation of the merchant services account
• Being found negligent by not meeting a known industry requirement (insurance carriers generally will not cover claims when a company is found negligent, due to the negligence loophole)
• Lawsuits from ID theft victims / disgruntled clients due to the breach (lawsuits will not be covered by insurance, due to the negligence finding, so the client may be forced into bankruptcy)

The 12 requirements of the PCI DSS are:

• Install & maintain a firewall connection to protect cardholder data.
• Do not use vendor-supplied defaults for system passwords and other security parameters.
• Protect stored cardholder data.
• Encrypt transmission of cardholder data across open, public networks.
• Use and regularly update anti-virus software or programs
• Develop & maintain secure systems and applications.
• Restrict access to cardholder data by business need-to-know.
• Assign a unique ID to each person with computer access.
• Restrict physical access to cardholder data.
• Track & monitor all access to network resources & cardholder data.
• Regularly test security systems & processes.
• Maintain a policy that addresses Information Security for employees and contractors.

With the consequences ranging from fines to devastating lawsuits, precautionary measures pale in comparison to the reactive costs associated with cleaning up from non-compliance breaches. As a merchant, if you are non-compliant at the time of an incident, the PCI will hold you liable for 100% of the fraudulent charges, as well as the costs to reissue credit cards to affected cardholders. Additionally, by failing to meet PCI DSS compliance standards that result in identity theft to a client, a reasonably competent attorney can quite easily demonstrate negligence on your behalf. Failing to meet compliance requirements can be used against you in a lawsuit, since industry standards, such as the PCI DSS, are the benchmarks used to demonstrate negligent behavior in a court of law.

The bottom line is the compliance cost associated with the PCI DSS is an unavoidable cost of doing business. In order to decrease the burden associated with this process, we can provide a cost-effective, customized Information Security Policy Manual (ISPM) for merchants. This ISPM covers the PCI DSS and more, so you will be able to implement and document the security of your computer network. Having the ISPM and implementing the steps to securing your network will demonstrate due care and due diligence on your behalf, which is the first step in mitigating your liabilities, as well as becoming PCI DSS compliant.

The benefits of Information Security for small and medium businesses are many:

• Decreased costs - less reactive IT support
• Improved productivity - decreased distractions
• Decreased virus & spyware outbreaks
• More efficient operations
• Better performing network & computers
• Better accountability of assets & resources
• Better educated & trained employees

On a positive note, PCI members, such as Visa, offer safe harbor protection from fines in the event a merchant or service provider experiences a data compromise. To attain safe harbor status, merchants and service providers must:

• Maintain full compliance at all times. This includes adhering to all requirements at the time of a breach or compromise, as demonstrated during a forensic investigation.
• Demonstrate that, before the compromise, the merchant or service provider already met the compliance validation requirements, demonstrating full compliance with the PCI DSS.

If you are merchant service provider and would like to offer an Information Security Policy Manual (ISPM) to your clients, we can establishe an affiliate relationship.Please contact tcornelius@teamlogicit.com for more details or visit www.PCIDSSpolicy.com.

TeamLogic IT of Vancouver - Ribbon Cutting

Bob & Cindie Berry, owners of the new TeamLogic IT in Vancouver, WA, held a recent "ribbon cutting" ceremony to mark their official opening and to showcase their state-of-the-industry office and services.

Welcomed guests included Rick Bowler, Marilee Thompson & Dave English from One Pacific Corp; Norm Paulson & Debbi Lessard from Paulson & Lessard; Mike Ward from Pacific Northwest Telco; DeeAnne Scherdnik from First Indy Bank; Tom Cornelius & Mike Weidman from TeamLogic IT of Beaverton; and Vince Plaza & Manu Larson of TeamLogic IT's corporate office.

TeamLogic IT - How IT works

This is a great video demonstrating how SystemWatch, from TeamLogic IT, can save your business time, save your business money, and decrease your liabilities.

Download systemwatch_demo_v2.wmv

SystemWatch is an enterprise-class suite of tools specifically tailored for the small to medium sized business. TeamLogic IT is a Managed Service Provider (MSP), delivering services that until recently were only available to Fortune 500 companies.

The Breach List - Worse Than Being On Santa's Naughty List

Imagine a "perfect" storm so ferocious and daunting that even seasoned sailors smash their vessels upon the rocks while trying to weather the onslaught of the winds, waves, and currents. Now imagine being given safe passage to a harbor that protects you and your ship from the effects of the storm. If you were given the choice to go down with the ship or drink coffee by a cozy fire, which would you choose? For myself, I'll take my coffee with cream and two sugars...

This "safe harbor" analogy is exactly what state legislators build into ID theft and breach notification laws. It is commonly referred to as an "encryption exemption," since it exempts organizations from having to disclose breaches simply because the data being protected by the encryption is not able to be accessed. Most system administrators with an ounce of creativity can crack into a Windows operating system computer. The rule of thumb is if you have physical access to a system, you can compromise it. Encryption, such as AES-128, makes it mathematically improbable to access the data without the encryption key. Note, it is mathematically improbable, not impossible. With enough computing power, encryption can be broken (however long it may take to break the algorithm).

This safe harbor rule keeps those companies that adopt encryption off the "breach list" - the growing list of notorious companies that get vilified in the news for allowing breaches of client data to occur. The breach list is an exception to the rule that any kind of publicity is good publicity. People lose their jobs and permanently harm their careers over data breaches, from IT staff to corporate officers.

In a real world example, if your laptop or USB drive with confidential data on it is stolen or otherwise accessed without authorization - that is a data breach. With breach notification laws in effect, the clock starts and your company would have to determine what data was compromised and then notify every individual involved. This will trigger lawsuits, the significant loss of your client base, and very negative publicity which will take years to erase. However, the encryption exemption lets organizations forgo the notification requirement if the Personally Identifiable Information (PII) was encrypted at the time of the unauthorized disclosure. With whole hard drive or volume encryption, this becomes a non-issue since the data cannot be access without the encryption key and is therefore not considered a data breach. Yes, the laptop or USB may be stolen and in the hands of a hacker, but if enterprise-level encryption software is used, the hackers will not be able to access the data in unencrypted form... unless they also stole the encryption key, but that is a story for another day for keystroke loggers.

For those of us here in Oregon, we are thankful to have the Oregon Identity Theft Protection Act (SB 583). This is a very well written piece of legislation and thankfully, it does contain a safe harbor clause. The law requires that ‘reasonable safeguards‘ be maintained including the implementation of a security program, risk assessment, data monitoring, and data disposal. The law also has requirements for data breach notification specifically focused on PII. If your PII is encrypted, you forgo the notification process.

According to SB 583, PII consists of: "A consumer's first name or first initial and last name in combination with any one or more of the following data elements, when the data elements are not rendered unusable through encryption, redaction or other methods, or when the data elements are encrypted and the encryption key has also been acquired:
– Social Security number.
– Driver license number or state identification card number issued by the Department of Transportation.
– Passport number or other United States issued identification number.
– Financial account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to a consumer's financial account."

Some people argue encryption is the answer to information breaches, others believe prevention is the answer. I personally believe you cannot have an effective information security plan without both preventative (education & awareness) measures and encryption. Most small and medium businesses have undefined and risky business processes that their own IT staff have no knowledge of and therefore are unable to provide protection. It is rather foolish to believe all employees will do their part. It is simply human nature and it requires constant vigilance, as well as the tools to counter those traits.

Notification is an immensely powerful incentive for organizations of all size to sit up and take notice of their Information Security practices. Along with regulatory pressure, organizations need to routinely audit their business practices and be realistic about identifying and mitigating risks. It is simply another case of if you fail to plan, then you plan to fail. Without encryption for your mobile workforce, do not be surprised to see your company's name on the Breach List.

If you are a Portland-metro area company and want to learn about encryption options, TeamLogic IT will provide a 1-hour free consultative meeting. We can provide you a road map to get you on the proper course to protecting your business properly.

Encryption for Your Business

Do you ever feel uneasy about running into a restaurant or coffee shop, knowing your company-issued computer is sitting on the passenger's seat? Like tens of thousands of others, you have good reason for that uneasy feeling. Laptop thefts account for an alarming percentage of data breaches and subsequent identity theft. What can be done about it when you do not want to lug your laptop around with you everywhere? There are a few options, ranging from the most simple physical security of locking it in your trunk or a more elegant solution of data encryption.

Since human error and sloth linger in the shadowy nightmares of Information Security professionals, the best solution is to remove the human element - adopt encryption technology. This might sound cumbersome, and in some cases it is, but there are products on the market which simplify the encryption process from USBs, to individual folders, to whole hard drive encryption. Entire suites can be purchased for less than $150, so the cost is relatively minimal considering the potential costs associated with the after-effects of a data breach. I do not know one company that would relish the idea of being broadcast on the 5 o'clock news about how an employee had a laptop stolen from a car that contained thousands of client records, including personally identifiable information (PII). Sadly, it happens all the time.

Working with an IT provider, such as TeamLogic IT, you can secure the data of your mobile workforce, including PDAs ad "smart phones." Once the encryption software is setup, it can be as easy as putting in a password at startup to decrypt the entire hard drive. Every client has different needs and concerns, so be sure to know the strengths and weaknesses of your workforce before blindly picking a solution. A good solution will prohibit a user from turning off the annoyance of the added steps inherent to encrypting data.

Many states include "encryption exemptions" into their data breach laws. This means public disclosure of a data breach can be avoided IF the data was encrypted at the time of the breach. What this means to a company is huge - it is the difference between filing an insurance claim to replace the stolen/lost computer and the legal quagmire of notifying clients, partners, and others of a data breach.

If you have any questions regarding encryption, talk with your IT provider. If it is a service they do not offer or have experience in, please contact me and I will assist you.

My Merchant Services Contract Requires Me To Do What??

If you are reading this article and your business accepts credit card payments from clients, it is highly likely you fall under Payment Card Industry Data Security Standard (PCI DSS) Level 4 compliance requirements. What does that mean to you and should you care? It actually means quite a lot and ignorance is far from bliss. Buried in your merchant services contract, you will find that you are subject to stiff fines for non-compliance and even worse, non-compliance demonstrates negligence on your behalf in the event a security breach turns into a civil or class-action lawsuit from disgruntled clients seeking both restitution and vengeance.

If this is news to you, you are not alone. The Payment Card Industry (PCI) consists of the five major credit card brands: Visa, MasterCard, American Express, Discover, and JCB International. The PCI Data Security Standard (PCI DSS) originated from the proprietary and different standards credit card issuers established to protect their credit card data. Naturally, multiple and dissimilar standards caused confusion among merchants and through pressure the card issuers came together to create a single, international standard for protecting credit card data.

These requirements are based on International Standards Organization (ISO) 17799, which is the internationally recognized standard for Information Security practices. Rooted in these standards, the six main objectives for PCI DSS compliance are for merchants to (1) Build and maintain a secure network, (2) Protect cardholder data, (3) Maintain a vulnerability management program, (4) Implement strong access control measures, and (5) Regularly monitor and test networks.

The most fundamental concept is to “build and maintain a secure network,” since that truly encompasses why the PCI DSS and other regulatory standards are passed in the first place. In simple terms, companies must have policies, procedures, standards, and guidelines in place to address physical security, technical security, and management responsibilities for how computers are maintained, data is processed, data is stored, and what user responsibilities are. This affects a newly established, 2-employee Limited Liability Company just as much as it affects a 200-employee corporation which has been in business for 75 years. When the consequences range from fines to devastating lawsuits, precautionary investments pale in comparison to the reactive costs associated with cleaning up from non-compliance breaches.

A Case For Compliance

A case in point is with TJX Companies, Inc (TJX). As the parent company of T.J. Maxx and Marshall's department stores, it faces more than a dozen class action lawsuits for non-compliance in what is currently considered the single largest data breach in history. Their lack of Information Security standards opened their entire, international business operations to data theft. In a matter of days, hackers penetrated and stole the credit card information of millions of customers. The after-effects will take years to clean up and are expected to cost TJX $1 billion in remediation costs, fines, and lawsuits.

Requirement 12 – You Can Run, But You Can’t Hide

Level 4 merchants are now getting much more attention from the PCI, since these smaller businesses tend to not have very secure networks and this makes an ultimate playground for hackers. Though Level 4 merchants are not required by the PCI SSC to have quarterly vulnerability assessments or submit to an onsite security assessment, they still must meet the PCI DSS standards for creating and maintaining a secure network. Requirement 12 of the PCI DSS specifically states that merchants must “maintain a policy that addresses information security” as part of their compliance requirements.

There are both technical and administrative tasks associated with implementing PCI Compliance standards in your business. Here are some tips for you to make the process easier:

• Implement Information Security policies for all users. Many security breaches actually happen within an organization, so it is critical that your policies are clear to your employees. Don't just send an e-mail to the employees who will be involved in these transactions. Instead, have meetings and issue printed information.
• Ensure all employees sign a statement that they understand and will abide by the policies. Keep excellent back-up records of all aspects of how your business is complying and validating the PCI standards.
• Be involved in all IT decisions regarding how your organization will comply with the regulations. Do not assume anything!  Assumptions can cost your company tens of thousands of dollars.

Now that you have a better understanding of the PCI Compliance regulations and their impact on your business and your customers, you must implement these standards. To take the official PCI DSS self-assessment questionnaire visit www.isecuritypolicy.com/PCI. This is a straightforward “Yes or No” questionnaire that can be done in a matter of a few minutes. You may require the feedback from your IT staff or service provider for certain questions, but it will be worth the effort to see how your company is affected by the PCI DSS.

If you need a set of Information Security policies, procedures, standards, and guidelines that are specifically tailored to small and medium businesses, visit www.iSecurityPolicy.com and you can purchase a customized Information Security Policy Manual (ISPM) for $435. This is a bargain compared to the alternative of hiring a dedicate Information Security consultant for the sole purpose of creating the same product.

CryptZone Partnership Announced

TeamLogic IT is pleased to announced it is now an official partner of CryptZone, the makers of Enterprise-class encryption software. This is an exciting relationship, since CryptZone offers volume encryption, whole hard drive (WHD) encryption, e-mail encryption, and USB encryption. Of all the open-source and commercial encryption vendors we evaluated, CryptZone beat out the competition on the grounds of functionality, easy of use, and cost. Considering most states have an "encryption exemption" standard which allows companies to avoid public disclosure of data breaches when the data is encrypted, CryptZone's encryption suite can be the difference between a non-issue and a public relations, as well as a legal, nightmare.

TeamLogic IT is proud to offer CryptZone along with its Information Security Policy Manual (ISPM) to create an array of Information Security services and products we can offer to our clients. Our services are cost effective for businesses of all sizes to implement and maintain.

Kruse Way Economic Forum - Protecting Your Company In The Digital Age

The recent Kruse Way Economic Forum, held in Lake Oswego, OR, was a success at educating local businesses on the new Oregon Identity Theft Protection Act and general liabilities companies face with Information Security in general. As an audience member, it was interesting to see the reaction of other conference members. Most attendees had a vague familiarity with the new law, but were generally uneducated as to how regulatory compliance appied to their organization or how a data breach could cause legal ramifications from disgruntled clients. I commend the sponsors of the Kruse Way Economic Forum, since they planted the seed with many attendees that Information Security is a serious concern and needs the appropriate attention by owners and management of companies, regardless of their size.

For companies that do require help with the Oregon Identity Theft Protection Act, TeamLogic IT can help Oregon businesses become compliant. With the only Information Security Policy Manual (ISPM) available online and customized for the small to medium business client, TeamLogic IT is able to provide a cost-effective and professional solution for those in need.

Charity Spotlight - Breast Friends For Life

TeamLogic IT was pleased to be a Bronze Sponsor for the "Friends for Life" charity auction for the Oregon-based Breast Friends For Life organization. Their mission is to improve and strengthen the mental and emotional well-being of young women living with breast cancer; and to educate and heighten awareness in the community about young women living with breast cancer.

TeamLogic IT will continue to be a sponsor at future events to support such a worthy cause from Breast Friends For Life.