PCI Compliance: What is it and Why Should You Care?

Hi,

Have you ever checked your credit card statement and found that "you" bought some nice clothes in Italy or purchased some scalped concert tickets for Lady Gaga at Madison Square Garden? If the answer is yes then you are part of a growing club, those who have had their credit card information stolen. We all know someone who has had this happen. Often in the end they got their money back and only lost the time it took to make the requisite calls to the bank. The people who used the stolen info got a bunch of nice free stuff.Guess who lost?The bank. You hope at least they went after the people who stole the info but either way it's a losing deal. This is why banks are clamping down more tightly on credit card security all the time. Enter PCI Compliance.

To begin with, PCI is an acronym for "Payment Card Industry." The Payment Card Industry includes every business that processes, stores, or transmits credit card data. PCI Compliance refers broadly to an effort by banks to ensure that merchants who handle credit cards are doing so in a secure environment. It is an attempt to stem losses from credit card theft and fraud. To be PCI compliant is to adhere to the "Payment Card industry Data Security Standard (PCI DSS) ," which is a set of rules defined and enforced by the major merchant banks. It's not my intent to discuss the details of PCI compliance here but if you are interested in reading further click here for a good site devoted to the subject.

What's the real world implication of PCI compliance for wineries? Why should you care? One thing I hear fairly often is "we're a winery, no one's going to hack our system." While it's likely true that no hacker out there is going to single out your winery the fact is that you could still easily be at risk for a breach of security. There are many ways it can go down and like most accidents it's never the way you imagined it would happen. Ponder the next two questions.

1: What is the most common way that credit card numbers are stolen?

A: Spyware
B: Fraudulent Websites
C: Lost wallets/purses
D: Phishing

2: Do you allow your cashiers to browse the web using the POS computers in the tasting room? Yes or No.

The answer to Question 1 is A. Spyware. This is currently the way most stolen credit cards are obtained.* Hidden programs that you unwittingly installed when you clicked X to close that bothersome ad window can track and export every single keystroke made at your POS. It can send that information to a server across the globe where some of it will be sold on the black market. Not only can key logging software capture your witty email to your buddies about last weekend's adventures it could also capture every single credit card you swipe at the register. What if you had a support call to NVPOS in which a tech logged into your SQL database and that info was also hijacked? You may be storing thousands of wine club member's credit cards in there. I hope I'm making it really obvious why the answer to Question 2 needs to be an emphatic No. You should view your POS register as a dedicated machine only to be used for POS purposes and not for casual web browsing. While anti-virus/malware/spyware software utilities are helpful the biggest problem is that some of these malicious applications are very sophisticated and are sometimes unwittingly installed even by savvy users.

Security breaches can be extremely expensive. We have heard from industry experts that a business that has been compromised - even a single credit card traced back to your system - can be liable for replacing the credit cards of every single cardholder in their database at up to $35 per card. If you have wine club memberships stored in your RMS database you could be liable for thousands of credit cards.

On May 23, 2008 Microsoft issued Service Pack #2, a patch brings RMS software into compliance with PCI DSS. However, this is just one component. There are hardware, networking, environmental, and personnel factors to consider as well. It is my hope that this article will motivate you to assess your exposure to possible threats in your business and think about ways to minimize risk before the banks ever come calling.

*For more information see the interesting article at http://money.msn.com/identity-theft/what-you-are-worth-on-black-market-credit-cards.aspx

Please see the PCI Security Standards Councils web site for more info.

Exposed Credit Card Data in Your Database?

I have worked on many data conversions and one common trait to nearly all of them is the existence of "temporary" tables used to assist in previous data import or export projects. Oftentimes these temporary tables contain unmasked credit cards. These databases are unwittingly breaking PCI standards regardless of the Service Pack level of RMS. NVPOS can help you assess and remove this data. Please call us if you are interested in a data review.

Introducing CustomerCentral "Favorites"

I devoted some energy last month urging you to avoid the "Generic Retail" customer in RMS. The marketing reasons for that are obvious but I know it's not realistic to avoid this entity completely. Sometimes you need to cut straight to the chase and make the sale and move on to the next sale. Sometimes the Generic Customer profile has a discount embedded or helps with reporting schemes. For those of you out there using generic placeholder customers in RMS we've developed a shortcut in CustomerCentral that will allow you to instantly select those customers, bypassing the lookup. The setup is minimal. Once completed you will have favorites buttons available in CustomerCentral. Simply click the button and your customer will be entered directly into the POS transaction. It's as simple as that! This new feature will be available in version 1.7, within the next few days. Simply open ProductControl, click Check For Updates, and you will see the update as soon as it is available.

NVPOS Current Release Versions

Note: Releases highlighted in green are updates since last newsletter.

For more info on how to update your software please click here.

Feedback

As always we value your feedback so please feel free click here and tell us how we are doing.

Happy Thanksgiving,

Jon Trafton
Product Manager
Napa Valley POS

Napa Valley POS 1700 Soscol Ave Ste 5 Napa, California 94559 US Read the VerticalResponse marketing policy.