Convio Security Breach and (PCI DSS) Payment Card Industry Data Security Standards
January 01, 2008
I find it interesting that I see no mention in any of Convio's follow up information of the required and mandatory Payment Card Industry Data Security Standard's compliance certificate required for service providers handling cardholder data in our industry.
In their followup information contained here: http://www.convio.com/site/PageServer?pagename=reg_onlinesecurity
Convio makes no mention of the mandatory Payment Card Industry Data Security Standards. The Card Association members, Visa, MasterCard, Amex, Diners, JCB require that all service providers doing any type of cardholder transaction must hold a valid PCI DSS compliance certificate.
All merchants wishing to use credit cards for their business, charity or nonprofit are required to use only compliant processors, service providers, suppliers and vendors. In fact, Convio only mentions the following sites to visit.
For more information, visit these sites: * OnGuard Online: http://onguardonline.gov/ * Hoax Busters: http://hoaxbusters.org/ * National Consumer League's Fraud Center: http://www.fraud.org/ * Symantec: http://www.symantec.com/norton/security_response/index.jsp * McAfee: http://us.mcafee.com/root/identitytheft.asp?cid=23903
Sources: Wells Fargo and OnGuard Online.
The PCI DSS program has been in place in various incarnation since Visa began the pilot in 2001. The mandatory security auditing program is required for all merchants world-wide and started out with the Internet Payment Service Providers, extended to all of their suppliers and vendors that handled any type of cardholder data regardless of whether the cardholder data was stored in their systems or not.
All acquirers, processors and service providers are required to assure that all of their service providers and vendors hold a valid PCI DSS compliance certificate or their compliance is rendered VOID and are subject to fines and loss of merchant status. And rightly so, as the program aims to lock down an extremely insecure Internet medium. The program breaks the merchants into 4 levels. Level 1,2, 3 are all to be compliant now. Level 4 merchants, those doing 20,000 or less transactions annually will be held to the audit standards with dates to be announced this year by Visa. All acquirers were required to submit their plans for level 4 compliance as of October 2007.
So why in the year 2008 is the Internet industry still so extremely insecure. Because during the Internet's commerce inception and in subsequent ongoing years, anybody and their dog could throw up servers and systems to get a business going without the knowledge, experience and expertise to set things up securely. People were lured by the prospect of the supposed overnight riches Internet commerce appeared to be offering! The Cyberspace Gold rush created a nightmarish network of insecurity that the many sophisticated and well organized criminals are taking full advantage of, while laughing all the way to their very rich bank accounts.
Fraud and identity theft is still on the rise and the horrendous aspects of so much of the fraudulent booty goes to fund terrorism. Terrorism which threatens our national security and our hard fought freedom and way of life! Terrorism that our brave young men and women are fighting and laying down their lives for in Afganastan and Iraq.
Your clients and donors expect that you are keeping their data secure and private. You are required to do that ethically and legally. You cannot maintain a privacy policy without having a proper security risk management strategy implemented and monitored by security experts. That is what the PCI DSS program helps you do, get secure and stay secure! Your clients and donors deserve no less than you meeting the required industry standards for privacy and security. And if you are doing cardholder transactions the consequences of not being compliant, and any subsequent breach will negatively impact your budgets and reputation! If you are PCI DSS compliant you are given safe harbour by the Card Associations against fines and loss of your merchant accounts! You will be able to prove to your clients and donors that your organization constantly upheld the PCI requirement process, procedures and methodologies with your security due diligence thus keeping your reputation in tact!
To be part of the solution you must start with asking the question:
1. Is our organization PCI DSS compliant?
2. Are all our suppliers and vendors handling any of our cardholder data on our behalf PCI DSS compliant? Is their certificate valid?
If not go to:
https://www.pcisecuritystandards.org/tech/supporting_documents.htm You will find the PCI requirements for your organization and a list of certified security assessors and approved scanning vendors to help you put together a holistic security risk management plan to get secure and stay secure!
When you achieve compliance and have your certificate or your service providers certificates, you, your clients and donors will have peace of mind in the additional confidence and trust that everyone's confidential data will stay just that, CONFIDENTIAL!