Pulse Legacy Archive January / February 2011 | Page 22

voices (Continued from page 18) The fines that each payment card company can impose for non-compliance are typically $25,000-$50,000 but this can pale in comparison to the partial recovery of the severe losses experienced by the card issuers—to which the merchant is responsible and can easily run into the hundreds of thousands of dollars. The other major problem is that as the card companies start shifting more liability to your issuing bank, the issuing banks will become much more stringent and soon will even stop allowing you to accept payment cards if they determine that you are not PCI compliant. If those impacts alone weren’t business ending events, the irreparable damage a breach could cause to your reputation and brand image certainly could be. AM I PCI COMPLIANT? Thankfully, there is one relatively simple step you can take to confirm compliance of your systems. That is to ensure you are using a PA-DSS (Payment Application) validated software system to handle your payment card processing. As of July 1st of 2010, all software systems that store, process or even transmit payment card data must be validated against the PADSS standard. As you would expect, there is a dramatic shakeout happening in the point-of-sale application space because there are many systems that are technically not able to meet the very strict standards of PA-DSS and will soon be out of the marketplace. There is fundamentally one question you need to ask your software provider: Do you have a PA-DSS validated application or are you a PCI Level 1 Service Provider? You can check the list of approved PA-DSS applications at: pcisecuritystandards.org 20 PULSE ■ January/February 2011 Common Point of Purchase (CPP) How Payment Card companies determine source of breach If they cannot answer this question with a simple “Yes,” you may need to either explore other options or get clarity about where your software provider is in their compliance initiatives. It may simply be the case that they have received a favorable Report on Validation (ROV) from a Qualified Security Assessor (QSA) and have simply not yet been approved and listed by the PCI Council. Although not optimal, it should at least give you some comfort that they are well on their way to compliance. WHAT IF I USE A HOSTED SOLUTION? Cloud computing, which allows a software service provider to host your software on Internet servers “in the cloud” is ideally suited for certain types of applications. Where integration with other “on-premise” operational software is not critical, the flexibility and economics of the public cloud are hard to ignore. The major knock has always been security. Many organizations need to secure their systems and data in ways not possible today in the public cloud. The flexibility of the public cloud comes where servers (sometimes thousands) not directly provisioned by you (or your provider) may be involved in processing your data. This is also one of the critical architectural flaws because in the case of a breach, physical auditing is not possible and yet required according to PCI. Amazon, Rackspace and other cloud providers have acknowledged that their public cloud offerings are not able to meet the strict requirements of PCI and strongly recommend that applications that require processing, storing or transmitting payment card data not do so on their public cloud infrastructure. This does not mean that your software cannot be cloud-based and PCI compliant, as there are providers using private cloud and/or are certified as PCI Level 1 Service Providers. Some cloud-enabled vendors do not profess their own PA-DSS compliance but point to their payment card processing partner’s compliance in a sort of “innocent by association” position. Even if they offload their payment processing (to something like PayPal or i4Go) and never, ever touch payment card data, they are still in scope of PCI and must be validated. A non-compliant application may get hacked and send your customers to a site that “looks” like Paypal. If you value the solution of your current software provider, I would ask for validation that they are protecting you as the custodian of your customers’ data. Remember, the ultimate responsibility is yours as the merchant and if your software provider is non-compliant and a breach occurs, they may turn their back at your moment of greatest need. ■