Media Kit
  • The dangers of PCI tunnel vision

    -

Fb Share

The Payment Card Industry Data Security Standard (PCI) is an excellent set of security requirements with which all of the major Credit Card companies expect merchants to comply. It includes technological, operational, and physical security measures designed to keep credit cards secure. To avoid penalties and fines, merchants are required to validate their business practices to these standards, and by this time, many merchants have invested a huge amount of time, effort and money into their PCI Compliance programs. As a security company, we applaud any measure that causes retailers to investigate and remediate their security vulnerabilities. While the effectiveness of PCI as a security standard will be evaluated over time, it appears that many retailers cannot see the forest for all of the trees that are in the way.

PCI is a credit card security standard. It deals with protecting sensitive cardholder data. Other data such as the name on the credit card, expiration date or anything else which can be tied back the primary account number on the credit card is considered to be cardholder data as well, but the key is that for PCI to be concerned with any data in general, credit cards have to be involved.

Merchants are so concerned with validating their compliance to their acquiring bank or to the credit card companies directly, that we are seeing many of them ignore other gaps in their security because they are not in scope for PCI. With enough personal information, thieves can steal someone's identity. Many retailers, especially fast casual restaurants with a loyalty program, have the names, birth dates, home addresses and other sensitive data about their customers. We have even see retailers ask for social security numbers which they use as the "ID" number for their programs. This personal data is just as critical to protect as credit cards, but your bank will not be checking on that security.

Here is the ironic part, PCI is not a law. The credit card companies are attempting to self-regulate security without the intervention or supervision of the government. On the other hand, there are both federal and state laws that concern themselves with protecting sensitive personal information which could be used to perpetrate identity theft. In fact, it is more devastating to a patron to have a criminal take personal information and obtain illegal (but legitimate) credit cards through identity theft than to have fraudulent credit card purchases made from stolen credit card data. The cardholder has built-in protection from fraudulent purchases made on their credit cards, but an identity thief who has established numerous illegal credit cards, or purchased assets in someone's name can destroy the credit score of victim for years. It is not uncommon for some identity theft victims to spend several years in court trying to reclaim their good name and defend themselves against angry creditors.

While it is true that PCI only concerns itself with credit cards, as a merchant, think about security holistically if you want to protect your patrons. If you have sensitive data of any kind, protect it. The recent stories about the identity theft from New York and Georgia should be enough to convince anyone that this issue should be on the mind of everyone who collects sensitive data (even if your bank is not asking about it).

Related Content

User Comments – Give us your opinion!
Products & Services

Food Cost Management

http://global.networldalliance.com/new/images/products/6401.png

6401/Food-Cost-Management

Standard coffee

http://global.networldalliance.com/new/images/products/6963.png

6963/Standard-coffee

FireFly Point-of-Sale

http://global.networldalliance.com/new/images/products/4282.png

4282/FireFly-Point-of-Sale

Javarama coffee

http://global.networldalliance.com/new/images/products/6961.png

6961/Javarama-coffee

Group Purchasing Services

http://global.networldalliance.com/new/images/products/6403.png

6403/Group-Purchasing-Services

PCI Compliance Managed Network Services

http://global.networldalliance.com/new/images/products/4123.png

4123/PCI-Compliance-Managed-Network-Services

Chicken

http://global.networldalliance.com/new/images/products/6793.png

6793/Chicken

Meatballs

http://global.networldalliance.com/new/images/products/6789.png

6789/Meatballs

Restaurant Digital Signage Advertising Network

http://global.networldalliance.com/new/images/products/6691.png

6691/Restaurant-Digital-Signage-Advertising-Network

PeopleMatter SCHEDULEā„¢

http://global.networldalliance.com/new/images/products/4628.png

4628/PeopleMatter-SCHEDULE

PCI Compliance & Network Security

Latest posts by Brad Cyprus
Brad Cyprus
Bradley K. Cyprus has more than 20 years experience in the security industry. He manages the development of in-house solutions to validate compliance, and he is a resource that Vendor Safe customers can rely upon to help interpret the PCI standard.
Digital Menu Boards and ROI
Request Information From Suppliers
Save time looking for suppliers. Complete this form to submit a Request for Information to our entire network of partners.