Tag Archives: data security

About PCI Compliance Fees

Leave a reply

Many businesses that accept credit cards wonder what the PCI compliance fee is and why they have to pay it. It all starts with the information that a retailer gains when a customer purchases a product or service using their credit or debit card to pay for the transaction. The thin black strip on the back of the cards holds sensitive information that can be used to defraud the card holder if a criminal gets hold of that information. A merchant must take steps to ensure that all personal information collected from a customer is kept safe and away from those who intend to do harm to others.

There have been some notable breaches of data over the past few years like what happened at TJX companies – the parent company of the T.J. Maxx and Marshall department stores. Over a 16 month period, thieves hacked into TJX’s computer system and stole information from over 45 million cards. This caused serious problems for the company and their customers that ended up costing a lot of time, money and effort addressing the damage caused by the breach.

Employees of businesses have also been known to steal this type of information. All they need is to gain access to credit and debit card receipts so they can purchase items using someone else’s card number. These types of incidents have increased with the proliferation of these cards. The major credit card companies like Visa, MasterCard, American Express and others developed guidelines that a business must follow to protect customer information. Failure to abide by these guidelines can result in the credit card companies deciding to discontinue doing business with a non-compliant company.

Many business owners know they should keep information safe, but many also have no idea why they are also being charged a PCI compliance fee.

These fees are charged for basically three reasons: education, non-compliance, and insurance.

Many credit card processing companies spend time working with business owners to make sure they understand what is required and how to meet those requirements. Some will add a fee to cover the cost of this educational component.

Businesses that do not show they are in compliance are also susceptible to being charged fees. This is generally done to remind the owners that they should take the time to fulfill the requirements. This portion of a fee could disappear once they have certified with the processors that they have taken appropriate action to protect their customer’s information.

A third component of some fees is insurance to help cover any breaches. The TJX breach ended up costing well over a quarter of a billion dollars. This is a cost many businesses cannot afford to absorb and still survive. The insurance will not cover breaches where the company was involved in the criminal activity.

The fees can be charged either monthly or annually. The fees range from five to 15 dollars per month to over 99 dollars per year.

Data Breach Solutions

Leave a reply

Today The Official Merchant Services Blog has a quick follow up to its ongoing coverage of the Global Payments Data Breach. The past two entries in our blog have taken a sweeping look at the big picture of data breaches and PCI DSS and how effective those security standards are. PCI Compliance is a topic very near and dear to Host Merchant Services because the company pushes an aggressive initiative among its customers to keep them PCI Compliant.

PCI Compliance: The Foundation of Security

Past studies from Verizon and Gartner Research have suggested that business owners slack on their security needs, especially in terms of PCI DSS compliance. The most oft suggested reason for this lax outlook on security has to do with PCI itself not having a lot of traction with those business owners. The merchants tend to think any security issues are the responsibility of the third party processor or the bank or the credit card companies; they don’t see a direct link to their business because of the simple fact that their terminal that swipes cards wasn’t theirs to begin with. Other issues include Merchants getting lost in the complexities of the PCI DSS website and its many forms that need to be filled out, and the recent change to PCI version 2.0 in October 2010 changing the structure of the system. Merchants get distracted by their day to day responsibilities of the business and gloss over the minutiae of PCI compliance.

Host Merchant Services understands these problems. Part of their service mantra is that the company designs payment processing solutions that let their merchants focus on running their company. The general theme is to make payment processing seamless and easy for the merchants. This includes transaction security and was the catalyst that fueled the company’s PCI Compliance Initiative.

But as we’ve seen with the Global Payments Data Breach, security needs to go beyond just PCI Compliance.

An Extra Layer of Protection

This Article from The Data Center Journal suggests that better admin priveleges could have helped stave off The Global Payments Data Breach completely. From the article: “Avecto says that the possibility that the breach was caused by a compromised administrative account that was insufficiently protected shows that governance is a central requirement of modern IT security.”

The article maintains that multiple layers of security can go a long away to helping to prevent future data breaches of this type. Paul Kenyon, chief operating officer with Avecto, said in the article that “Our observations on this breach suggest that minimizing administrative privileges—an exercise in the principle of least privilege—would have gone a long way to preventing the breach.” It was suggested to Kenyon from another IT Security analyst that the privileged accounts that are reportedly at the heart of this breach need several layers of protection to properly insulate them from hackers.

Most articles looking at the aftermath of the data breach arrive at the consensus that security measures need to go beyond just PCI compliance. This article gives some very specific and clear advice on a step to take — a data breach solution.

Data Breach Penalties Stack Up

Yesterday’s blog also delved into the cost and fees companies face when they suffer a data breach.

And this article by Bank Info Security gives even more insight into the cost and impact of a data breach. It interviews Larry Ponemon, founder of the Ponemon Institute, which conducted this year’s Cost of a Data Breach study with sponsorship from Symantec. The study revealed that the average cost of a Data Breach has gone down this year. Which makes sense when you consider that even with the Global Payments Data Breach in the news right now, the scale is a lot smaller than the scale of the Heartland Data Breach.

In fact, this article, also from Bank Info Security, gives a side by side comparison between the much bigger Heartland Data Breach and the Global Payments Data Breach.

But back to Ponemon’s interview and his company’s study: “According to the annual report, the average per capita cost of a data breach has declined from $214 per record to $194 since 2011’s report.”

Ponemon suggests two reasons for the decline in average costs.

  1. Complacency: “We think people in general may be becoming numb to the data breach notification process. Most people have received at least one data breach notice; they may not even be aware of it because they don’t open their mail. The may see it as junk mail.”
  2. Topical Shift, or rather the rise of intellectual property breaches, which are not a part of the annual study: “We focus on one type of data breach – the type of data breach [of personal records] that requires notification in the United States and then other parts of the world – but in reality there are other, maybe more costly, data breaches that companies are experiencing every day.”

 

HMS Data Breach Security Program

The hackers that go after credit card information are a creative group of criminals who are constantly pushing technology forward and tying security systems in knots. Many times a discussion about data breaches ends up with the conclusion that “it’s not if a data breach is going to happen, it’s when a data breach is going to happen.”

Host Merchant Services offers a key resource in preparing a business to tackle that issue: Its Data Breach Security Program. This program protects a business and a merchant can get up to $100,000 in coverage per location for the most common forms of data breach:

  • Employee Dishonesty
  • Skimming
  • Theft of Credit Card Receipts
  • Theft of POS Terminals
  • Stolen Card Numbers
  • Theft of Computers

 

The Data Breach Security Program helps cover fees for any industry-mandated audit of a suspected breach, card replacement costs and related expenses, and industry fines and assessments. All of these fees come from non-compliance with PCI DSS and are fees and issues that any company even suspected of a breach can face as we described yesterday in our blog. The coverage would exceed even the penalties that Cisero’s faces as we saw in the article about their lawsuit targeting the PCI itself.

How Does It Work?

Host Merchant Services makes it easy to file claims once you’ve gotten on board with the Data Breach Security Program. A simple online form starts the process:

  • Step 1: Fill out the online claim form at www.merchantdatabreach.com
  • Step 2: Upload or fax the notice from the acquiring bank, which stipulates that there has been a breach or a suspected breach at your location and choose an authorized, qualified security assesor.
  • Step 3: When the forensic audit is complete, upload or fax a copy of the assessor’s report.
  • Step 4: HMS takes it from there. We process the claim for payment and if all documentation is in order you will receive a check for the expenses incurred from the audit and/or card replacement costs and/or fines incurred for a breach.

To recap

Data Breaches can and will occur. They are costly. The recent Global Payments Data Breach reminds us all how important transaction security is for all parties involved. Merchants need to understand how important PCI Compliance is for their business. And they also need to take more steps than just PCI Compliance. Host Merchant Services is committed to keeping its merchants safe and secure. The company takes the lead in the industry in terms of PCI Standards with its PCI Compliance Initiative. And the company offers added layers of protection to its merchants through its Data Breach Security Program.

pci and data breach

PCI and the Data Breach [2023 Update]

Leave a reply

TodayThe Official Merchant Services Blog continues looking at the bigger picture of the impact from the Global Payments Data Breach — specifically looking at the affect it’s going to have on PCI DSS as well as a little foray into State Security Breach Notification Laws.

You’ll remember yesterday we highlighted some of the criticisms found in the PCI DSS, specifically this article by Taylor Armerding which suggested that PCI compliance is not enough to protect data from the skilled and focused hackers who cause these data breaches.

We then focused on how PCI Compliance is still a great foundation for your transaction security. The standards and protocols set up by the council are the first step a merchant needs to take to protect their data. And Host Merchant Services offers a PCI Compliance Initiative that helps its merchants quickly and seamlessly take that step.

Still the idea that PCI DSS is not living up to its billing as security shows itself in this story from Wired about a small business filing suit against against its bank claiming that the financial institution, which used to process the restaurant’s credit and debit card transactions, wrongfully seized money from the business’ merchant bank account. In short, the business is suing the bank for taking funds as penalties for being non-compliant with PCI DSS.

Taking it to Court

The story explains that Stephen and Theodoara “Cissy” McComb, owners of Cisero’s Ristorante and Nightclub in Park City, Utah, racked up $90,000 in fines that Visa and MasterCard imposed after alleging that Cisero’s had failed to secure its network and suffered a data breach that resulted in fraudulent charges on customer bank cards. U.S. Bank seized about $10,000 from the McComb’s merchant account to cover those penalties and then sued the McCombs to obtain the remaining balance on the fines, saying a contract the McCombs signed with the bank makes them liable for such fines.

The McCombs struck back with a bold countersuit. The story explains: “But in their countersuit against U.S. Bank, the McCombs allege that the bank, and the payment card industry (PCI) in general, force merchants to sign one-sided contracts that are based on information that arbitrarily changes without notice, and that they impose random fines on merchants without providing proof of a breach or of fraudulent losses and without allowing merchants a meaningful opportunity to dispute claims before money is seized.”

This suit challenges the basic foundation of PCI security standards and opens up a lot of old wounds and criticisms about PCI DSS in context of the card issuers that make the call and form the council for PCI DSS. As the story says: “The controversial system, imposed on merchants by credit card companies like Visa and MasterCard, has been called a “near scam” by a spokesman for the National Retail Federation and others who say it’s designed less to secure card data than to profit credit card companies while giving them executive powers of punishment through a mandated compliance system that has no oversight.”

The linked article provides much of the details that led to the data breach with Cisero’s, as well as why the fines and penalties were applied according to PCI DSS standards. The McComb countersuit relies heavily on their assertion that PCI DSS oversteps its bounds in applying those penalties, offers no recourse for people to dispute the penalites, and levies penalties against businesses for violations even when no fraudulent transactions occur.

The Cost of a Data Breach

This case above and much of the criticism targeting PCI DSS deals with the fines banks, processors and subsequently merchants face when data gets breached. This article looks into the cost merchants face when the worst case scenario occurs. A lot of merchants feel that lack of compliance isn’t an issue because they feel they are not responsible of something goes awry. But this article sheds some light on that: “suppose you or your merchant is suspected of one of those inevitable human errors, or of being a victim of a hacker. As long as there isn’t actually a breach, it’s no big deal, right? Wrong.”

The article lists the costs of penalties:

  • Forensics Audit done by investigators when they suspect your business is susceptible to a breach: Between $8,000 and $20,000
  • $3 to $10 per card to replace all cards compromised in a breach that happens.
  • $5,000 to $50,000 in fines for lack of compliance.
  • And even further in fines specifically tied to any fraudulent transactions that do occur as a result of the breach.

The article states that the average cost comes to $36,000, a hefty sum that can cripple small businesses. The McComb data breach may seem high in comparison, but going over the huge variance in the fine structure, it’s pretty easy to see how the bank came to a $90,000 figure.

Back to Global Payments

Speaking of the fees and penalties, it’s interesting to note that the company faces many of the same problems that small businesses do now that Global has been breached and run afoul of Visa in terms of PCI Security and  Compliance. However this story for ZDNet states that the company will likely absorb any costs from the data breach and not be affected as badly as some of the small businesses discussed above are affected by fees and penalties.

Global Payments continues to process, even after being dropped by Visa’s list of providers that meet security standards. The company is now working on being reinstated and once again being PCI Compliant. Working in their favor is their statements that they reported the breach to authorities the moment they found out it happened.

Which brings us to …

Security Breach Notification Laws

Security Breach notification laws were enacted in response to an escalating number of breaches of consumer databases containing personal information. The first such law was the California data security breach notification law, or SB 1386. It was enacted in 2002 and became effective on July 1, 2003. Currently 46 states, the District of Columbia, Puerto Rico and the Virgin Islands have enacted similar legislation requiring the notification of security breaches involving personal information. The only states that currently have no such law on their books are Alabama, Kentucky, New Mexico and South Dakota.

  • Host Merchant Services is located in Delaware. The Delaware Security Breach Notification Law can be reviewed in its entirety at This Link.
  • Global Payment Systems is located in Georgia. The Georgia Security Breach Notification Law can be reviewed in its entirety at This Link and its subsequent amendment can be found at This Link.

These laws tend to follow a similar basic structure to the one California passed first in 2002 — companies need to immediately disclose a data breach to customers, usually in writing.  There have since been a number of bills that would establish a national standard for data security breach notification but none have been passed in Congress yet.

The Bottom Line

So what does this all mean? For now it appears that Global is weathering the storm brought on by the news of the data breach. They’ve minimized the impact of the bad news and are working to get their compliance situation straightened out. The data breach has put the spotlight onto the PCI DSS itself and we’ve seen that some small businesses and merchants are highly critical of the system. Comparing the crippling fines they can theoretically face for a breach that leads to no fraud against the impact that a large processor like Global faces for the same type of problem can leave some thinking the system needs more oversight. But PCI DSS does set the bar for security. It forces hackers to work harder than they would if it didn’t exist. It is a first step in terms of what merchants and processors need to do to protect transaction and data security.

The court case in Utah is very fascinating as it really takes the contract aspect of the PCI DSS to task. The Official Merchant Services Blog will continue to follow the news on that case. And we will keep you posted on the latest developments with this Global Payments Data Breach.

Data Breach Consequences [2023 Update]

Leave a reply

Today The Official Merchant Services Blog is going to delve into the bigger picture of the impact that the Global Payments Data Breach is going to have on the payment processing industry. Obviously this news is going to have a huge impact on Global Payments itself. The company faces a big penalty after Visa dropped it from its registry of compliant service providers due to “unauthorized access into a portion of (Global Payments’) processing system.”

Fees and penalties related to reacquiring its compliance status and getting back on the registry will add up. In fact an executive from Co3 Systems, a data loss management firm, estimated the potential liability for a merchant with 1 million cards compromised could top $1.6 million from compliance fines alone. With Global’s own official statements indicating that the number of cards that were compromised being less than 1.5 million, the Co3 estimate is probably right in the ballpark of what Global faces.

The company also will take a hit to its business simply because of the breach itself and being dropped by Visa. While they are off the list, some potential customers may not be able to sign with them due to the lack of compliance status. And if the process to be reinstated takes too long, it could affect some of their current customers.

But there’s a larger context that needs to be considered with this data breach: PCI DSS itslef.

We’ve covered PCI Compliance very extensively in the blog. We looked at a report from Verizon last year that suggested 79% of organizations Verizon surveyed were found to be non-compliant in their initial audit in 2010. The study from the previous year had 78% of organizations were non-compliant. A study by Gartner Research demonstrated that 18% of merchants they surveyed were not PCI Compliant at all.

What is PCI?

These studies just underscore the large problem payment processing faces with security. The acronym PCI DSS stands for Payment Card Industry Data Security Standards. PCI Compliance is essentially the process of adhering to the standards set forth by the Payment Card Industry Data Security Standards Council (PCI DSS). You can review those standards in greater detail here. Essentially the standards are a set of requirements designed to ensure that all companies that process, store or transmit credit card information maintain a secure environment.

What’s the Problem?

One of the biggest criticisms of the PCI DSS is that it is the minimum agreed upon set of security protocols. Because of its nature as a consensus set of standards put together by the council, PCI is often criticized for being behind the curve or not being thorough enough to deal with the hackers who are trying to get at the data and breach the security of the transactions. Combine that with the studies that keep showing merchants are not keeping their compliance current or not even becoming compliant in the first place and you open the door for a lot of criticism against the system designed to keep transactions safe and secure.

Taylor Armerding wrote a compelling article for CSO Online on the issue of PCI compliance in the aftermath of the latest data breach.  The lead statement of the article underscores the issue simply and effectively: “The latest data security breach to strike MasterCard and VISA has security experts focusing anew on the good and bad of PCI DSS. On one hand, the standard offers a clear blueprint on how to handle such a breach. On the other hand, compliance is usually not the cure, as this latest incident demonstrates.”

To add emphasis, Armerding quotes Neil Roiter, research director at Corero Network Security, as saying: “The Payment Card Industry Data Security Standard (PCI DSS) is highly prescriptive in nature, but simply complying does not ensure credit card security. Companies that rely on PCI DSS to solely dictate their security measures will continue to remain vulnerable to attack.”

The Weak Link

Armerding’s article suggested that compliance isn’t the be-all-end-all for security and that humans were still weakest link in the system. Quoting Anup Ghosh, founder and CEO of Invincea, a developer of browser protection systems, the article says that too much of the security standards are stuck in the past. Ghosh also suggests that PCI is complacent and easy for hackers to circumvent. Ghosh says that the systems in place are more designed to tell you what happened after the fact, being a reactive solution rather than a proactive solution. Ghosh then suggests that the data that was compromised was likely encrypted, but the security standards are behind the curve where it really counts: The Human Layer of Security.

Ghosh explains: “If I target employees, which is how you target these days, it is not very hard in phishing campaigns, to get employees to open an email or click on a link, which then provides access to their desktop and the privileges that come with it. [And in that case] Encryption is worthless.”

He then suggests a more proactive step of creating a more secure virtual environment for employees to work in so that whatever an employee clicks doesn’t end up compromising any data in the system.

PCI is Still Very Important

What Armerding and Ghosh say about PCI is quite compelling. But they both still point out that PCI Compliance is very important for merchants and payment processors. The standards may be behind the curve with the ever-clever hackers going after credit card data, but they set a starting point for security. They set the bar high enough that hackers have to put in work to circumvent the systems. Having PCI is so much better than not having it — which demonstrates how scary the Verizon and Gartner studies are.

Host Merchant Services advocates and performs a very zealous crusade for PCI Compliance. The company takes data security and safe transactions seriously and makes PCI Compliance a part of its value-added service package. HMS began a PCI Compliance Initiative last year that started with an ad campaign that offered for a limited time free PCI Compliance fees for merchants who signed up during that time. It then extended into an initiative run through a partnership agreement with HostMySite.com that offered a free PCI and Security Analysis to any customer interested, and now that same offer is available to anyone interested in Host Merchant Services, partnership or no partnership. The company provides on-call assistance with PCI Compliance questions and problems and will help all of its merchants get through the process with tips and advice from Host Merchant Services’ own PCI Compliance experts.

Tomorrow The Official Merchant Services Blog will follow up with the latest developments from the data breach, as well as more information about PCI Compliance, and PCI DSS issues that the payments industry and the tech industry are discussing.

For More Information

For more information about PCI Compliance, Host Merchant Services offers these resources:

PCI Compliance FAQ

Merchant Services Document Download Graphic

PCI Compliance Guide

Merchant Services Document Download Graphic

Merchants are Slacking on Security

Leave a reply

According to a study by Verizon, 79% of organizations were not fully compliant with the Payment Card Industry Data Security Standard (PCI DSS) in their initial audit in 2010. That’s about the same level as the previous year, the first year the study was done. This is distressing news since PCI Compliance is extremely important for merchants and non-compliance carries heavy penalties.

Host Merchant Services offers its customers and potential customers a PCI Compliance Initiative, which includes a free scan, analysis and report.

HMS works with its customers to ensure they are PCI Compliant, offering resources, information and assistance every step of the way.

 

Secure transactions are important for merchants and a key element of the customer service HMS provides. Which is what makes the following statistics from the Verizon study somewhat disconcerting, considering how easy PCI Compliance is to maintain through Host Merchant Services:

This article by Information Week delves into the statistics from the Verizon report, and offers five reasons why merchants are letting their PCI Compliance slip each year.

1. Businesses See PCI As A Burden. PCI isn’t exactly a new standard, or complying with it a new requirement. Why aren’t more businesses taking it to heart? “Well, it’s hard to say, but one common reason is that they have not internalized the fact that PCI DSS is to help them (as well as card brands and banks) with security. It is not to punish them for failing an audit. PCI is seen by many as an ‘externality,’ not something they ‘adopted for themselves,'” said Gartner analyst Anton Chuvakin in an interview.”

Host Merchant Services understands that PCI Compliance, especially being an annual requirement, can be an added burden on its customers. That’s why HMS created its PCI Compliance Initiative. The company seeks to shoulder that burden for its customers, making PCI Compliance as hassle-free as possible.

2. Merchants Don’t Maintain Continuous Compliance. Many businesses don’t pursue PCI as a way to improve security, but rather treat it as a compliance obligation. “PCI is still often seen as a ‘one time per year’ thing, and such an attitude is pretty harmful–but mostly to the merchants themselves, by the way. Organizations keep ‘doing it over,’ not maintaining it,” said Chuvakin.”

Host Merchant Services, due to CEO Lou Honick‘s prior experience with the web  hosting industry, has a keen insight into how essential the security that PCI Compliance is attempting to standardize can be for its merchants. Which is another key reason why HMS is so involved in seeing that its merchants maintain their PCI Compliance.

3. Poor Awareness Means Lackluster Effort. Compliance officers–or perhaps senior managers–are failing to educate themselves about PCI, and according to Verizon’s research, the greater awareness of PCI found in a business, the greater the actual compliance. “The more aware your organization is of the standard, the more prepared you are for the type of approach you take,” said Verizon’s Mack.”

Host Merchant Services also understands the trouble it can be keeping informed on PCI details and information. Which is why the company’s PCI Compliance Initiative includes easily available online resources to answer as many questions about PCI as possible, an online guide for the most common merchant classification to become PCI Compliant, as well as offering all of this information directly to the merchants face-to-face or on the phone. The goals of the program are to keep the merchant informed, make PCI Compliance easy to understand and easier to maintain.

4. Compliance Checklists Trump Security Posture. To help businesses better comply with PCI, the council in 2009 released the PCI DSS Prioritized Approach to help businesses know which aspects of PCI to address first to most mitigate the risks to cardholder data. But Verizon saw a 10% drop in use of the prioritized approach, and little use of it overall. “

This issue is handled by HMS’ PCI Initiative as well. The company is there working directly with merchants step-by-step on PCI Compliance. So the checklists are handled, but there is also the HMS agent’s expertise on hand with each item on the checklist. So the merchant’s overall security posture is still taken into account. PCI Compliance is an important part of a merchant’s security and Host Merchant Services keeps that in mind through each part of the compliance process.

5. Businesses Not Prepping For PCI 2.0? Businesses that skimp on continuous compliance may soon find themselves called to account as they move to PCI DSS 2.0, with which businesses could have begun demonstrating compliance as of October 2010.”

Host Merchant Services stays up to date on PCI Compliance standards and takes all of the burden onto the company’s shoulders. HMS keeps its merchants well informed about changes, but also does all of the hard work to explain the details and make sure its customers are continuously compliant.

If you take some time to review the PCI Compliance information we have on our site you’ll see that the process is straightforward and it is easy for us to maintain compliance for our customers. This is a path we walk down with our customers. Security is essential in payment processing. And we are here to ensure our merchants are secure and do not backslide into a position where they could get heavy penalties for non-compliance.

The statistics from the Verizon study are somewhat dismaying to read. But our analysis of them seems to indicate that it’s simply an example of where HMS’ focus on customer service steps things up. PCI Compliance can be easy to slack on when the onus is completely on the merchant’s shoulders. And a lot of Merchant Services Providers haven’t taken HMS’ unique approach so the burden remains on the merchant. At Host Merchant Services we take the burden, and help keep you informed, up to date and secure. PCI Compliance is too important to let slide.