May 5th, 2014 by Elma Jane

The Payment Card Industry (PCI) Data Security Standard (DSS) has come under criticism as high profile data breaches continue to expose flaws in retailers’ data security systems. But telecommunications firm Verizon Wireless concluded that the PCI DSS is working.

Some Responses to Criticisms  

Nilson Report research from August 2013 that said card fraud cost the global payments market over $11 billion in 2012. Verizon added that the frequency of fraud schemes that the PCI DSS was designed to avoid is in fact growing. And yet most businesses are not fully compliant at the time of assessment. Only 51.1 percent of the companies it had audited had passed seven of the 12 requirements of the PCI DSS and only 11.1 percent of said companies had passed all 12.

Verizon addressed some of the criticisms leveled at the PCI DSS. One concern is that the standard promotes compliance as a test to be passed and forgotten, which distracts companies from focusing on improving security. Verizon responded by stating that breached businesses were less likely to be PCI DSS compliant than unaffected companies. It also said businesses improve their chances of not being breached by having the standard in place, and of minimizing the damage of a breach should one occur.

Another common complaint leveled at the standard is that it is too cumbersome and slow moving in relation to the quickly evolving threat landscape and nimble fraudsters ready to try new tactics. Verizon countered that the PCI DSS is meant to be a set of baseline security protocols. Achieving compliance with any standard is simply not enough, organizations must take responsibility for protecting both their reputation and their customers. Most attacks on networks are of the simple variety, with 78 percent of hacking techniques considered low or very low in sophistication. Data Breach Investigations Report (DBIR)  research shows that while perpetrators are upping the ante, trying new techniques and leveraging far greater resources, less than 1 percent of the breaches use tactics rated as high on the VERIS (Verizon’s Data breach Analysis Database) difficulty scale for initial compromise.

Recommendations

There’s an initial dip in compliance whenever a major update to the standard is released, so organizations will have to put in additional effort to prepare for achieving compliance with DSS 3.0.

The newest version of the standard, PCI DSS 3.0, went into effect Jan. 1, 2014. Businesses have until Jan. 1, 2015, to implement it. The updated standard has new requirements and clarifications to version 2.0 that will take time for businesses to understand and implement, and this will result in more organizations being out of compliance.

To help businesses deal with their PCI DSS compliance obligations the firm offered five approaches:

Don’t leave compliance to information technology security teams, but enlist application developers, system administrators, executives and other staff in helping further along the process.

Embed compliance in everyday business practices so that it is sustainable.

Integrate compliance programs into enterprise-wide governance, risk and compliance strategies.

Learn how to reduce the scope of organizations’ compliance responsibilities, chiefly by figuring out how to store less data on fewer systems.

Think of compliance as an opportunity to improve overall business processes, rather than as a burden.

Posted in Best Practices for Merchants, Credit card Processing, Credit Card Security, Electronic Payments, Payment Card Industry PCI Security, Visa MasterCard American Express Tagged with: , , , , , , , , , , , , , , , , , , , , , ,

October 3rd, 2013 by Admin

When managing a business nothing helps more than raw data. Storing that data in a database makes it infinitely more flexible and accessible. A database is an application that efficiently and effectively stores and retrieves data as well as ties that data to other data. Many large scale accounting applications like QuickBooks, PeachTree and many other titles store all their information in some form of a database.

Tables are like spreadsheets. Rows and columns group together data in an organized manner. Databases can have many tables with many columns or just a few. Relational databases like SQL database engines link tables together using what are known as primary and foreign keys. So in the example of an invoice the Customer table has a Primary key uniquely identifying a specific customer from the rest of all of the customers. The Invoice table stores a foreign key in its table so the match between customer id’s links the two tables. The invoices themselves also have a primary key so that there can be many invoices for the same customer. These concepts are actually born of a mathematics branch known as Algebra.

Data at its most basic level is a specific bit of information. Like the number 19 or a specific date and/or time. A database holds these bits of data and an application built to interact with a database is used to generate information from the data. A clearer example is the invoice. An invoice has quantities, part numbers, serial numbers, account numbers, dates and even totals which are not stored in the database but are calculated each time the invoice is accessed. Invoices bring many bits of data to a single entity most commonly referred to as a report. Looking at a common invoice explains a transaction with the details stored in many tables all tying back to a single transaction.

Database servers run a service that can be connected over connections on a local area network or over the internet to allow applications on different computers access to data simultaneously. Many websites like Facebook, NASA and even Google make extended use of databases to supply services to millions of users concurrently. Whether it’s over the internet or across a physical office space, a database can be the heart of a businesses information technology.

SQL databases conform to an industry standardized set of functionality so that complex queries can be performed without knowing the underlying technical architecture.

Open Source

Open Source is usually associated with applications that are free to download, distribute and modify. Many times open source applications are developed by a community of developers over the internet that take feature suggestions from the user community and build them into the application. Open source applications tend to follow one of several ‘licenses’ like the GPL or General Public License to make sure the program is unmolested or incorporated into a proprietary software trying to take credit for the programming code.

There are many examples of open source titles here.
http://directory.fsf.org/wiki/All

https://en.wikipedia.org/wiki/List_of_free_and_open-source_software_packages

Open Source Databases

One aspect of open source known as LAMP has become wildly popular as the internet has matured. Lamp stands for Linux, the operating system, Apache, the web server component, MySQL, a wildly popular free and open database engine and the P stands for Perl, Python or PHP the three most popular languages of backend programming. Combining these components provides a very fertile ground for developing Web Applications that can be served across an office or the world. Many sites like Google and WordPress take full advantage of these technology to create feature rich applications that run in a web browser but work like a traditional desktop application like Microsoft Word. Being open source allows anyone to build on top of or out of the offering. This means you can customize the programming of any of these applications to best fit your particular style or way of doing business. This is a huge time saver for any small business.

Some common examples of open source applications that utilize Lamp architecture are listed below:
SugarCRM – A contact and lead management system to manage a sales force.
WordPress – The most popular blogging application on the internet.
OpenCart – An extremely flexible shopping cart software.
GNUCash – A full fledged accounting program.

Mobile Devices

Today we have smartphones and tablets that have web browsers built in and available for each platform. Using new techniques known as adaptive or responsive web layouts, information on a page automatically transform a web page to smaller displays. So any page can be designed once and displayed on a desktop browser, a tablet browser or a mobile phone browser. This allows web designers to best optimize the content for smaller displays while leaving the pages viewed on a desktop for a larger view. Using responsive design techniques your business data can even extend to mobile devices like iPhones and Android or Blackberry phones and tablets. The potential is huge for your business.

Posted in Best Practices for Merchants, Point of Sale Tagged with: , , , , , , , , , , , , , ,