The cost of credit card data compromise has risen nearly 70 percent since 2010 (Cost of Cyber Crime Study, 2011). Often, payment card information found by criminals is electronically just "laying around," waiting to be discovered.
In a recent report released by SecurityMetrics, (Merchant Data Security Report, 2011), 71 percent of the 2,700 merchant systems scanned had stored unencrypted card numbers. In all, more than 378 million card numbers were found on the systems tested. That is more than 12 times the total amount of sensitive records publicly reported compromised during 2011.
The question you must consider is: Do you have unprotected card data on your franchise point-of-sale or back office systems waiting to be harvested and sold for fraudulent purposes?
As a Payment Card Industry (PCI) Qualified Security Assessor (QSA), I conduct many onsite security assessments and continually see problems that result in insecure data storage--even on very sophisticated merchant or service provider systems. Because of this continuing trend, the PCI Security Standards Council has clarified (in version 2.0 of the PCI Data Security Standard, or PCI DSS) that data discovery methodologies should be used at least annually.
The first step to conquering data loss is to know for sure where card data is being used and if (and how) it's being stored. This can be especially important in franchise environments because of the common practice of duplicating POS systems across many merchant locations. If it's bad at one location, it's bad everywhere, which increases the risk of card data loss or exposure.
The first thing is to get a good idea of where card data could be lurking. Just like flotsam in a river gets caught in eddies, card data can potentially be deposited on systems that may or may not be directly involved in POS transactions. During the data discovery phase, knowing where to look for potential data eddies is half the battle.
The other half is finding, implementing, and using a good data discovery tool that can identify card data in its various forms and alert you to its location. Tools inlcuding CardRecon (GroundLabs), Spider (Cornell University), and PANscan (SecurityMetrics)), can be used to search computer systems for data. Don't forget to run these search tools on your e-commerce web servers, old systems historically dealing with card data, and in departments such as accounting, sales, and marketing.
Once you find unsecured card data, you need to figure out what process caused it to be stored and determine if that process can be fixed to avoid future problems. You then must securely remove the unencrypted card data using a secure removal or wipe process. (Hint: Don't just use the delete key--it's really not gone after that.)
Now that your processes and your systems are clean, you need a program to keep them that way. Clear text (unencrypted) credit card data has a way of cropping up again where you don't expect it to be. You must define and follow a process of periodic data discovery cycles (at least annually) to recheck systems and make sure they remain free of unprotected card information.
Good data discovery and secure data flow practices are a very important part of your overall PCI DSS compliance effort. Here are more tips that may help:
Gary Glover is director of security assessment at SecurityMetrics and holds QSA, PA-QSA, CISSP, and CISA certifications. He began his career at McDonnell Douglas developing AI and expert systems for rocket and propulsion systems. He spent nearly 10 years in software engineering and is the author of two U.S. patents.
The only publication dedicated exclusively to the hottest topic in franchising - Multi-Unit and Multi-Brand Franchisees.
A unique event because it is highly influenced by its advisory board, consisting of the very best multi-unit franchisees. The board works diligently to ensure that the conference delivers on its promise of being the best platform for franchisees to learn how to grow their businesses.