PCI Security Standards
The concept of value has grown with society over millennia. From bartering to coins, then paper notes, how we pay our bills can be almost as important as actually paying them. With the advent of technology, the next phase of monetary use is not a physical form at all. Using cards, both credit and debit, many choose to go without physical money at all. With the convenience of a single swipe of a plastic card, you are able to make a purchase or pay a debt without having to carry a large amount of cash, or worry about counting change. Such relies heavily upon communication between systems. For the consumer and user, it simply is a swipe of a card with the most strenuous action being ensuring the magnetic strip is facing the right way. What most take for granted is the communication and security that must follow in the milliseconds after that swipe. Your card holds the information of your bank accounts, and can act as a gateway to all your personal information. With you bank codes, somebody could conceivably gain access to all your information such as your license number, home address, and social security number. Therefore, such must be protected heavily at all times. Data is at its most vulnerable when in transit- and we put it at that risk with every purchase.
Methods and Authority of Secure Transactions
When concerning security of this information, multiple points need to be kept secure. This includes the card readers, point of sale systems, networks and wireless routers at individual stores, the storage and transmission of information, any physical records of transactions, and naturally any online application or shopping that uses this information. Each can be a vital area that is subject to breach. Loss of information has many repercussions such as lost confidence leading to consumers leaving for other locations, the cost of reissuing cards that have been compromised, and the ever-present risk of fraud. Businesses face fines and penalties for not keeping their information safe, and members of a company can be reprimanded or lose their jobs over issues of breached security. All this before the legal fallout, which can be extensive.
A financial institution such as payment cards is too widespread and vast to leave to individual vendors to monitor. As such, a standard has been set in the payment card industry, working with branded cards such as Visa, MasterCard, American Express, Discover, and JCB. This standard is supported by those companies and administered by the Payment Card Industry Security Standards Council. The purpose of this group and standards is to increase control around cardholder information to reduce breaches and fraud. As such, their security measures are proven for both large corporations and individual users.
The industry standard uses a three-step process.
Whenever used, the cardholder data is identified and an inventory of IT assets are analyzed. This process allows businesses to process the card information for processing, while also analyzing them for vulnerabilities. Supported by major card issuing companies allows for easier standardization of this process to make the process far faster than accommodating various individual formats.
Any vulnerable areas within the storage of cardholder data are located and dealt with accordingly. The storage of all data not absolutely necessary is eliminated. This is a common practice, and is why despite using cards at the same locations many times, a new swipe is required for each transaction. Regardless of use, the card information is not stored to prevent breaches or even the temptation of one. At the same time, card information is constantly being evaluated to find weak areas of security and resolve them.
Reports of card use are routinely compiled and submitted to the issuing companies and banks involved. This allows a regular system of checks to be made on the system, including regular methods of use for cards. While this information does not include the personal data of cardholders, it does show trends of card usage and where data might be at risk.
Keep Your Data Secure
Information security is an ongoing process, and cannot be underestimated. Many corporations view compliance with security as an annual event, but such can create a false sense of security. Forensic investigators have determined that security deployed by organizations do not stay compliant through the year. Complacency is unacceptable when security is concerned. The standards council is not a policing entity, and cannot enforce security. As such, the card issuing companies are all kept secure, but being aware of individual vendors is important.
Some points for added security include buying and using only approved PIN entry devices, only using validated point of sale software online or offline, and not storing any cardholder data in your computer or on paper. For personal security, be sure to use a firewall on your network and computers. Your wireless router should also have a password and use encryption. Said passwords should be complicated, perhaps even two word phrases. The shorter and simpler they are, the less secure your system is. Even with those security tips, it would be wise to check your hardware and software regularly for rogue additions. Skimming software or faceplates made to scan a card are easy to install and hidden. Not noticing can cause far more trouble than taking the time to look regularly. Every person involved with this information should have a working understanding of the security needed and protecting data.