Petrogram - Fall 2009 - (Page 17)
FEATURE Protecting Your Jim Fish Business PCI Tips for C-Store Owners he majority of merchants generally have no background in information security. For a merchant who is already putting in an 80-hour week trying to operate a profitable business, finding the time to develop a compliance strategy to meet the requirements of the PCI Data Security Standard is a daunting task and well outside of their comfort zone. Unfortunately the very same data assets required to operate the business are the ones that, if compromised, put the business most at risk. The merchants I have spoken with generally select one of the following four options: (1) I’ll ignore it and it may go away; (2) I’ll wait and see. If I am compromised – I’ll deal with it then; (3) I’ll wait for my bank to ask me. I never signed up for PCI; (4) I’ll bite the bullet, be proactive and treat data protection as another business process. The first three are obviously the easier choices; unfortunately they also put your business in jeopardy. Ignore it: Do you remember signing your merchant agreement so you could accept credit cards? By signing that, you agreed to abide by the card brand regulations (i.e. PCI Data Security Standards). If you are compromised and are found not to be in compliance (especially if your old POS system is storing sensitive card data) the fines can be onerous. In some cases a compromise can be a going-out-of-business event. Wait and See: How badly would your business be impacted if you were unable to accept credit cards? Most merchants report that more than 70 percent of their business is via credit card transactions. Wait to be Asked: The deadline for compliance is long past. Don’t wait to be asked. T Bite the Bullet: Good choice, but before you pull out your credit card to purchase new hardware and software, tackle some critical and less expensive tasks first: 1. POS System: Confirm you are running a Validated Payment Application. Your POS system is a critical component of your overall PCI compliance program. Make sure it has been validated to the payment application data security standards. If you have an existing system, check both Visa’s and the PCI Security Standards Council’s lists of validated payment applications to make sure your application software name and exact version number are both listed. If they are not, check with your POS vendor for the latest PA-DSS or PABP validated version. This is important because if you are running a non-validated version, as of July 2010, you may be unable to get or renew a merchant account from your bank. If you are considering the purchase of a new system, again, check both Visa’s and the PCI Security Standards Council’s lists of validated payment applications. If your prospective POS vendor is not on either list, confirm were they are in their validation process to ensure your system meets all the standards and you are not buying a future problem. 2. Read Your POS Implementation Guide: If you can’t find it, ask your POS vendor for it. Every validated payment application must be shipped with an implementation guide. Following the instructions in the implementation guide will ensure that your application is configured in a secure manner that meets the PCI standard. 3. If You Don’t Need it, Don’t Store it: Make sure your POS system is not inadvertently storing credit card information Petrogram | Fall 2009 |
Table of Contents for the Digital Edition of Petrogram - Fall 2009
Petrogram - Fall 2009
Welcome, New Board Members
Spotlight on FPMA’s 2009 Convention & Trade Show!
Protecting Your Business
Impacts of the American Clean Energy and Security Act
Out & About the Industry
SPECIAL REPORT: U.S. Petroleum Industry Statistics
Why (Your Insurance Company Thinks) Your Tank Insurance Policy Is Worthless
Index of Advertisers/Advertiser.com
Petrogram - Fall 2009
If you would like to try to load the digital publication without using Flash Player detection, please click here.