Card brands and the PCI Council are comfortable with the
Level 1 and 2 Merchants compliance level and are going to start focusing on
Level 3 and 4 Merchants. 85% plus of all
breaches are in level 4 Merchants.
In 2010 60% of Losses were due to 3 areas:
· Lost/Stolen
Devices· Malicious attacks from third party
· Theft from insider, employee/friend
It is important that you don’t fall under the misconception
that you can be PCI by a simple step or that because you are a small store you
don’t have to comply. Below are answers
to some PCI myths as well as some best practice tips:
1.
PCI
applies to everyone who accepts payment cards even if it just one.2. Tokenization does not make you compliant.
3. Using a compliant payment application will help facilitate PCI compliance but does not make you compliant.
4. Using a third party payment process does not exclude you from becoming compliant. The merchant needs to ensure the third party is compliant. The Physical and Information Securities still apply.
5. Even if you are a “Mom and Pop” you need to be PCI compliant. 85% of breaches are in Level 4 Merchants.
6. Completing the PCI validation is a critical step to reduce the likelihood of a breach but it is only a periodic measurement. Being constantly vigilant is vital.
Merchant Best Practices
· Buy and use only approved Pin Entry devices at the POS
· Buy and use only PA-DSS validate payment software at the POS and web shopping cart
· Do not store sensitive are holder data on PCs or on paper
· Use Firewalls on Networks and PCs
· Make sure wireless router is password protected and encrypted
· Use strong passwords and change default passwords on hardware and software
· Check Pin devices regularly to be sure there is no rogue software or skimming devices installed
· Create security polices and train your employees
· Follow the PCI standard
