COULD A BREACH HAPPEN AT YOUR ORGANIZATION?
Many merchants may not be compliant with the Payment Card Industry (PCI) Data Security Standard (DSS) because they lack the required liability reducing technology provided by their merchant processor. Two-thirds of merchants aren’t compliant with the PCI DSS because they store unencrypted credit card data, take payments over the phone and pose a risk with company volunteers that take credit card information. They also lack sufficient technology to eliminate sensitive information.
The use of credit cards as a method of payment allows organizations to receive payments from customers quickly and easily. However, the acceptance of credit cards comes with risks. Hundreds of millions of U.S. records have been involved in data loss incidents and that number keeps growing. According to the Privacy Rights Clearinghouse, in 2011, 592 data breaches resulted in over 31.1 million stolen records. As of early November, 602 data breaches have resulted in over 23.5 million stolen records in 2012.
Could a breach happen at your organization? If your county receives credit card payments either in person or online — and your systems are not secure — you could have a breach of data that is stored on a server, on paper, or on a computer. It could take many months for this breach to be discovered. In the meantime, the stolen information could have been sold and residents’ credit cards used to commit fraud by purchasing items and opening new credit card accounts.
In an effort to counter the risks, the world’s major credit card companies (payment brands) have taken steps to protect their customers’ personal information and protect the credit card payment process. In 2004, Visa and MasterCard collaborated to create the Payment Card Industry Data Security Standards (PCI-DSS), common industry security requirements. In 2006, the five major payment brands — American Express, Discover, JCB, MasterCard and Visa — formed the Payment Card Industry Security Standards Council (PCI-SSC) to manage the PCI-DSS.
PCI-DSS governs any business, or organization, that accepts payment cards and stores, processes, and/or transmits cardholder data. The standard:
• focuses on protecting cardholder payment data and increasing
• mirrors best security practices for the protection of sensitive
• requires twelve basic steps for protecting credit card information;
• applies to internally developed or “homegrown” applications
that are not sold to a third party.
By: Thomas D. Smith, Director Office of Cyber Security, NYS Office of Information Technology Services
For more information on how to keep your organization secure contact Tina @ 888.413.9186