PCI Update

PCI is always changingand it is the best practice for any merchant that accepts credit card to bevigilant in their efforts to become and stay PCI compliant.

Card brands and the PCI Council are comfortable with theLevel 1 and 2 Merchants compliance level and are going to start focusing onLevel 3 and 4 Merchants.  85% plus of allbreaches are in level 4 Merchants. 

In 2010 60% of Losses were due to 3 areas:
·       Lost/StolenDevices
·       Maliciousattacks from third party
·       Theft frominsider, employee/friend

It is important that you don’t fall under the misconceptionthat you can be PCI by a simple step or that because you are a small store youdon’t have to comply.  Below are answersto some PCI myths as well as some best practice tips:
1.    PCIapplies to everyone who accepts payment cards even if it just one.
2.    Tokenizationdoes not make you compliant.
3.    Usinga compliant payment application will help facilitate PCI compliance but doesnot make you compliant.
4.    Usinga third party payment process does not exclude you from becomingcompliant.  The merchant needs to ensurethe third party is compliant.  The Physicaland Information Securities still apply.
5.    Evenif you are a “Mom and Pop” you need to be PCI compliant. 85% of breaches are inLevel 4 Merchants.
6.    Completingthe PCI validation is a critical step to reduce the likelihood of a breach butit is only a periodic measurement.  Beingconstantly vigilant is vital. 

Merchant Best Practices
·       Buy and use onlyapproved Pin Entry devices at the POS
·       Buy and use onlyPA-DSS validate payment software at the POS and web shopping cart
·       Do not storesensitive are holder data on PCs or on paper
·       Use Firewalls onNetworks and PCs
·       Make surewireless router is password protected and encrypted
·       Use strongpasswords and change default passwords on hardware and software
·       Check Pindevices regularly to be sure there is no rogue software or skimming  devices installed
·       Create securitypolices and train your employees
·       Follow the PCIstandard