PCI non-Compliance and the Risks to Your Business
If your online business is accepting credit cards, are you aware that you can be held responsible for financial loss that results from any thefts of credit card information that can be traced back to you? As a business owner, you may not actually know what data you store, or how you protect it. Or, like the client I’m about to tell you about, you trust the advice of your vendor, and you put your financial future at risk without even knowing.
A Cautionary Tale
About three years ago this month the SQL Injection Attack known as the SLAMMER WORM broke into over 140,000 SQL Server-based Internet websites, and overwrote data indiscriminately on many of them. It was a horribly easy worm to protect a website from, and most professionals still consider it unconscionable that programmers were still building sites with this vulnerability in place.
I had the unenviable task at the time of dealing with a SLAMMER Breach that occurred to an eCommerce customer whose website was vulnerable to the attack. My team had taken maintenance responsibility over for the site just a few months earlier, and we were still in the process of laying out the business case for re-coding the website when they were hit.
This website should never have been vulnerable to the SLAMMER WORM, but if only that was where the malpractice ended! To add insult to injury, the original contractor had convinced the client that it would be okay, and actually necessary, to store Credit Card Numbers, CVV Codes, Name on Card, Expiration Date, and Billing Address in clear text in the SQL Server database so that they could update online orders with correct shipping costs later. When the SLAMMER WORM hit their site, there were thousands of credit card records at risk of theft. What the contractor failed to do, however was inform the client that they were responsible for any fines and refunds should that data be stolen.
I found out about the SLAMMER attack hitting my client’s site when the President of the company called me to report strange code that was appearing on web pages. It took no time to put two and two together, and we immediately took down the website. We then went into disaster recovery mode - our team worked nights and weekends to try to plug all the vulnerabilities that the previous team had left for us.
Luckily for us, that particular attack was geared toward overwriting data in the database as a way to cripple and discredit a website. Had it been geared toward pulling data OUT of the database, which it could have done easily (and without the site owners even being aware), they could have stolen thousands of valid credit card numbers for resale on the black market. Had that happened, and the payment processor uncovered where the theft had originated, this client could have been put out of business by millions in fines, and tens of millions in credit card refunds they would have been responsible for.
How To Protect Your Business
Protecting your online business from financial ruin from credit card data theft is where the PCI Security Standards Council comes in. The PCI Security Standards Council is an open global forum for the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection.
The Council’s mission is to enhance payment account data security by driving education and awareness of the PCI Security Standards. They seek to educate merchants on the importance, and value of compliance with the standards that have been established.
PCI Compliance includes best practices, and, depending on the size, and volume of transactions you process, can sometimes be met through a self-assessment. However, more and more payment processors are now requiring that their merchants get the appropriate level of PCI Compliance. The movement is inevitable too. Eventually, it will not be possible to operate without the appropriate level of Compliance.
What does the PCI Security Standards Council want me to do?
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other system security parameters
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Protect all systems against malware and regularly update anti-virus software or programs
- Develop and maintain secure systems and applications Implement Strong Access Control Measures
- Restrict access to cardholder data by business need to know
- Identify and authenticate access to system components
- Restrict physical access to cardholder data Regularly Monitor and Test Networks
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes Maintain an Information Security Policy
- Maintain a policy that addresses information security for all personnel
Where does my company fit into the different requirement levels?
There are four levels of PCI Validation Requirements. Requirements are increasingly stringent, ranging from self-assessment to audit by third party Qualified Security Assessor. The levels are
PCI Compliance Level 4 - Recommended annual PCI Self-Assessment Questionnaire and quarterly network scan
Applies to you if your business is processing less than 20,000 Visa and/or MasterCard e-commerce transactions processed per year
PCI Compliance Level 3 - Annual PCI Self-Assessment Questionnaire and quarterly network scan
Applies to you if your business is is processing 20,000 to 1 million Visa and/or MasterCard e-commerce transactions per year
PCI Compliance Level 2 - Annual PCI Self-Assessment Questionnaire and quarterly network scan
Applies to you if your business is processing 1 million to 6 million Visa and/or MasterCard transactions per year
PCI Compliance Level 1 - Annual on-site security audit and quarterly network scan
Applies to you if your business is processing over 6 million Visa and/or MasterCard transactions per year.
What happens if I do nothing?
The payment brands (i.e. Visa and MasterCard) may, at their discretion, fine an acquiring bank $5,000 to $100,000 per month for your PCI compliance violations. The banks will most likely pass this fine on downstream until it hits you. Furthermore, the bank will also most likely either terminate your relationship or increase transaction fees. Penalties are not openly discussed nor widely publicized, but they can be catastrophic to a small business.
In addition to the above fines and transaction fees, the merchant can be held responsible for all illicit charges that can be traced back to their data breach.
What should I do now?
If you are not sure what your I.T. staff, or 3rd party vendor is doing to secure credit card transaction information, the safest course of action is to have a trained PCI Specialist come in and perform an audit of your systems. You can find reputable Consultant’s on the PCI Website. If you do think your site is safe, but you do not currently perform an annual PCI Self-Assessment, you should consider making it part of your annual business continuity plans.
The best practice to protect your business is simple: do not store credit card information on your server. If you store credit card information and you are NOT PCI compliant, you are taking a huge risk. Even if you ARE PCI compliant, you're still taking a risk because PCI DSS is a minimal standard.
If you are collecting credit card information online today, even if you store the information to charge for subscription-based services, you can also move the risk over to new services that are appearing, such as Authorize.net's Automated Recurring Billing or Customer Information Manager. These services allow your business to process recurring or ad hoc transactions without storing the customer's credit card information on your own server. This strategy shifts the risk back to the credit card processors, and can also reduce your per-transaction costs on credit card charges - putting more money in your pocket.
Finally, be very careful who you partner with. It is expected that data theft from websites will continue to grow. Don’t get caught with an inexperienced site vendor. In the example I described above, my client knew that the prior vendor had never built an eCommerce site before, but hired them anyway. If you have any uncertainties about work another vendor has done for your eCommerce site, a third-party review should be considered.
If you found this article helpful, or know someone who might benefit from reading it, please share it on your favorite social media platforms, or Email a link directly. If you have your own horror story to share, please share your comments.