What Does PCI DSS Mean to You
Not too many individuals are aware of the Payment Card Industry (PCI) Data Security Standard (DSS) or how this standard could affect their businesses. The PCI DSS is not a law but a standard adopted by the payment card industry. This industry manages and performs credit card transaction, i.e. VISA, Master Card, and AMEX.
As stated, PCI DSS is not law, however anyone who processes credit card transactions may be voluntarily bound to comply with this standard. The industry also levies large fines to those found not to be in compliance when there is a breach of customer data. Some of these breaches are often publicized but most are not. Anyone who watches the news occasionally catches a story involving some organization that was breached by a hacker. Stories relaying “The records of 100,000 customers were released to a hacker and these records contained Social Security numbers and account numbers” occasionally spark interest.
The losses experienced by those organizations may run into the millions of dollars when one considers the fines imposed, the costs to secure the remaining data, the costs to notify customers, and the loss of consumer confidence and damaged reputations. No business owner would wish to face this situation. However, do not despair; there are some simple steps that you can take to protect yourself when you process credit card transactions:
1. Do not store sensitive customer data
Although you may wish to make life easier for customers by keeping records of their account information so they do not need to repeat the information for future transactions, saving their information could set you up for much grief in the future if an unscrupulous individual obtains that information at a future time.
2. Use a clean computer to process credit card transactions
Make sure that your computer is running an up-to-date operating system and that current antivirus and anti-malware utilities are running in resident mode on the computer. This practice will help ensure that no key-logging Trojans are running on the computer that will capture data and relay that data to a cyber-criminal when the Trojan “calls home.”
3. Use a virtual keyboard when entering account numbers
A virtual-keyboard is utility that displays an image of a keyboard on the screen and accepts input from mouse-clicks rather than from the keyboard. Key-logging utilities usually capture typed data by accessing the computer’s keyboard buffer, which is an area of memory that stores keystrokes prior to transmittal. Using a virtual-keyboard bypasses the keyboard buffer and can help render a key-capture utility ineffective.
These simple steps do not in any way guarantee that customer data will not be breached and the author provides no warranty if the steps fail to prevent such a breach. However, these simple steps do not cost a fortune to implement and may save the reader much grief. Information Security is, after all, a balancing act between protecting data and being able to use that data.
What do you think? Your Comments are welcome.