Recently, Matt Popinski of Daxko, LLC stated, “With the fraud liability shifting from card issuers to merchants, EMV compliance and secure credit card terminals are more important than ever for all kinds of clubs, gyms and wellness centers”.
Your customers and members are depending on you to ensure their data is secure when using their credit or debit cards at your facility. Risks of not doing all you can to ensure privacy of data include possible loss of reputation and customers, financial liability and even litigation.
Assessing Your Security
The Payment Card Industry (PCI) Security Standards Council develops and assists with the understanding of security standards for payment account security. As part of their role in helping businesses maintain appropriate level security standards, the organization has developed self-assessment questionnaires for small businesses, merchants and service providers. The questionnaires are broken down by how you accept payment cards.
Though not required, it may be a good health check for your business to review and complete self-assessment questionnaires.
Each questionnaire is represented by a letter, determined by how you accept payment cards. Your business may qualify to complete one or more of the self-assessment questionnaires. They are available at no-cost and provide you with valuable questions to ask your payment processor and merchant service provider as well.
|Questionnaire||Method of Accepting Payment Cards|
|A||Card Not Present. E-commerce, mail or telephone ordering.|
|A-EP||Card Not Present where your ecommerce website drives payment processing through a third-party site.|
|B||Card present using imprint machines or standalone, dial-out terminals. Neither method has any electronic storage for cardholder data.|
|B-IP||Card present using standalone, PTS-approved payment terminals with an IP connection to the payment processor and no electronic cardholder data storage.|
|C-VT||Manual, single transaction entry via a keyboard into an Internet-based virtual terminal solution provided by a third-party provider. No electronic cardholder data storage.|
|C||Payment application systems connected to the Internet with no electronic cardholder data storage (non-e-commerce channels only).|
|P2PE-HW||Card present hardware payment terminals managed via a validated, PCI SSC-listed P2PE solution with no electronic cardholder data (non-e-commerce channels only).|
|D||All merchants who do not fit into the descriptions above and service providers defined by a payment card brand as eligible to complete a self-assessment.|
Minimize Data Security Risk
The PCI Security Standards Council states that weaknesses are often exploited, but PCI Data Security Standards (DSS) controls are “designed and include detailed requirements for exactly this reason – to minimize the chance of compromise and the effects if a compromise does occur”. Some control failures that have occurred could have been prevented with proper control implementation.
Examples of control failures include:
- The merchant is unaware that sensitive authentication data is being stored
- Default system settings and passwords were not modified from system defaults and/or were not complex enough
- Unnecessary and insecure services are not removed when the system is installed
- There are missing and outdated security patches on operating systems, devices or browsers
Not One And Done
Security is not a “one and done” activity, it’s an ongoing process. As thieves get better at breaking code and finding vulnerabilities, security must keep up pace with changes to prevent that access. As a result, all merchants are wise to implement regular data security health checks on their networks and processes of accepting credit and debit cards from consumers.
Regular Activities To Improve Security
Your business can easily implement the following steps to maintain a more secure environment:
- Modify default settings and passwords on systems and databases. In addition, update those passwords on a regular basis and make sure they are complex and difficult to figure out.
- Remove insecure services and devices from your system and databases.
- Apply patches and security updates quickly when they become available. Whether it is your operating system, browser or software applications, implement updates regularly as they come available.
- Be aware of end of life for your hardware, operating systems and software. Outdated hardware and unsupported applications expose vulnerabilities we might not know about. In addition, quick adoption of the latest and greatest keeps your members happier. Sometimes, members adopt new technologies quickly and are frustrated when a vendor or service is not compatible.
- Evaluate whether you maintain cardholder or personal data anywhere in your system or on paper. Determine if it’s absolutely necessary, and if so, consider methods to prevent that data from being read by other applications or individuals. Generally, card data does not need to be maintained by the merchant. Third party payment processors and merchant service providersmdo not hold cardholder data, but instead can hold a “token” that identifies the card data to the system without exposing any of the critical details such as the card number.
Need payment processing and billing support for your business? Contact us to learn more.