Omega ATC has been releasing educational and informational emails all year long primarily on these two topics – “data security” and “compliance” emphasizing that compliance does not equate to security. Through experience we have found that merchants find it hard to come to grips with these sometimes illusive but critical terms.
The questions we often hear are,
1. Why should I bother with data security if my POS vendor has already said I am compliant?
2. Why should I go beyond what my oil company has already done for compliance?
You say you are compliant, but are you?
Level 1 and Level 2 merchants in whichever industry they may do business in have to worry about this question. The POS system might indeed be compliant or may not. This is where data security plays the part. Has the merchant verified what the POS vendor says?
- Are proper password rules followed?
- Are 2Factors of authentication used all the time for login?
- Does the POS system store any credit card data after the completion of a transaction?
- Are remote control accesses secure?
- Are all data encrypted in the cardholder environment?
- And more…
The merchant needs to note that in case of a breach, the merchant will be the one accused of violation of PCI DSS rules, not the POS vendor. All fine by the credit card companies, the card processing companies, charge backs, and legal costs will be passed along to the merchant.
There is no place to hide
Ever since the Payment Card Industry’s Data Security Standards came into place much drilling has been done by several entities in the interest of safeguarding customer data, helping retailers protect their businesses, and preventing breaches. Retailers who understand the consequences and the serious aftermath of a breach have been proactive in getting assistance and following data security best practices.
Unfortunately, some had to experience a breach before they took the necessary steps. Others are waiting for a disaster to happen or are just staying under the radar, while some others have been directly approached by the acquiring banks or card data companies and have to now go through all the measures to prove they are following regulatory requirements.
Why the hesitation to safeguard your own assets? Is it because of the following reasons?
- Justification for expenses involved
- Time and work commitment
- Doubts about Return on Investment (ROI)
- Difficulty finding a reliable partner
- Lack of knowledge
- Convincing the decision makers
It could be a combination of one or two or all of the above. Regardless, no explanation is good enough when weighed against loss of credibility, reputation, customers, damaging PR, legal fees and ongoing fines in hundreds of thousands of dollars that will be incurred after a breach incident. And remember, nobody else will pay for the losses except the retailer that has experienced the breach.
Aside of the ROI, expense is an important factor. However, ongoing expenses to run a secure business are the only expenses any retailer should be concerned about in the first place. These expenses in any business should fall into the category of budgets year after year.
- Inventory of all data
- Methodical management of all systems in your infrastructure
- Ongoing updates of all software
- Patching of all systems and software
- Data encryption
- Anti-virus and anti-malware
- Risk assessment
- Modifications to the infrastructure as required or as needs change
- Ongoing maintenance of all of the above
So, the list has covered most of the data security elements. What’s left would be the few below that would require the retailer to partner with an expert service provider. And that’s an expense any responsible business should allocate for.
- Internal and external scanning
- Logging of different events
- Maintaining the logs for a period of 365 days
- Information Security Policy
Let’s talk about Return on Investment (ROI)
This is a term that’s thrown around because people in the business world understand the dollar language best. If businesses are looking at a dollar value for return on investment, we can view that in a few different ways.
- The return on investment becomes extremely clear to a breached entity after a breach occurs. The damage will run into several thousand if not millions especially for Level 1 and Level 2 merchants. Businesses that questioned this point before the breach are the only people who can explain the ROI better than anybody else.
- The ROI is that businesses can continue accepting credit cards from their customers. The acquiring banks trust businesses are following regulations, standards and industry requirements of credit card companies and credit card processors. The alternative is to stop accepting cards which some businesses may opt for. This would only put them at a disadvantage in several areas especially in this day and age of stiff competition.
- Finally, data security and the entire gamut of all the steps and actions involved are about meeting regulation requirements and mandatory stipulations of the industry. It is an expense that should be budgeted into the business cost to keep the business alive.
It is about,
- Building trust of customers who do business with you
- Assuring them that you have their best interests in mind
- Protecting their personal information
- Ensuring bank card companies that they can allow you to accept credit cards
- You sleeping well knowing that you have done what is required to keep your business secure
If businesses still don’t see the value of data security and don’t do what has been suggested they stand the risk of a disaster happening now or later. It is just a matter of time before disaster hits; or before the acquiring banks and card companies send you a letter to prove your business is secure and you are responsibly handling your customer’s data.
Partner with a service provider to ease the entire process of your business’s data security and PCI compliance needs. From systems management to giving you the right solution and service, to dealing with breached business who have to prove compliance, Omega ATC has done them all. Omega has gone through the additional rigor of meeting requirements as a Level 1 PCI DSS compliant Service Provider. Connect with Omega ATC today.