The Payment Card Industry (PCI) Security Standards Council is an open global forum, launched in 2006, responsible for the development, management, education and awareness of the PCI Security Standards – including retail standards for data security, payment application data, and pin transactions. As we move forward through our recent economic ups and downs, the PCI Security Standards Council has been working diligently to build upon the standard initially released in 2006, to continue to provide relevant clarifications, self-assessment tools and continuing education programs that provide merchants of all sizes with a security baseline.
While larger organizations have moved forward and are now focused on optimizing PCI to make compliance more cost-effective, smaller organizations often find themselves stalled, and at times overwhelmed with the prescriptive nature of what they need to implement and spend to be PCI compliant. This is despite the fact that small businesses can really benefit more from PCI, as this segment is often much more fragmented in the number of vendors and integrators they utilize to enable business technologies.
In a recent indictment by the U.S. Department of Justice, four individuals were accused of a multimillion-dollar fraud scheme believed to have compromised hundreds of U.S. merchants and more than 80,000 U.S. consumers – including 150 Subway restaurant franchises. The PCI certification level of the compromised retailers was not stated, but it doesn’t surprise me that franchises were targeted. For these smaller businesses, it’s sometimes unclear what they need to do for PCI. For example, if they are sourcing their POS systems and software as a part of the franchisor recommendations, or even through its value added distributor, there can be misunderstandings that these systems are already ‘PCI-ready’.
As with any transactional device or software used across multiple companies, once an exploit has been detected, attackers will try to leverage that open door across all known locations. When it comes to franchises, these locations are quite easy to determine with minimal research or knowledge of the franchise business model. It is our hope that a strong adherence to PCI guidelines will mitigate the risks of targeted malware and enable them to be quickly detected and fixed. Still, declining revenues often make a renewed investment in PCI efforts difficult, especially for small retailers without a background in IT or security, and I’m predicting that the trend of targeting franchises will continue.
McAfee encourages all businesses to ask their POS vendor or reseller about McAfee’s embedded security solutions, which can reduce the cost of PCI for retailers by making systems more ‘PCI-ready’. They can also take a look at McAfee’s Security Connected reference architecture for more information on how McAfee can help maximize any security investment by protecting your information as well as other aspects of your environment with a cost effective and holistic security framework.