Now Available:

line

Featured Resources:

line

Realtime Communities

line

Newsletter

Email Address:


line

Monthly Archives

line

RSS

line

Ask the Expert

Have a question for our resident expert? Email your questions to Rebecca.

« U.S. Dept. of Homeland Security Makes 14 Privacy Impact Assessments Available | Main | ISMS/ISO27001 Certification Poll...Ending Sunday »

SMB PCI DSS Issues at the State Fair

Yesterday I was at the Iowa State Fair literally all day; from 8am to around 8:30pm. Despite the 95 degree extremely humid weather it was such a fun day! The cloudy skies and nice breezes helped a lot. We didn't get to probably half of the exhibits and activities. And I was *VERY* disappointed I didn't see any of the at least 4 presidential hopefuls who were on the grounds; the place is so big I guess we were always in the wrong place at the right time.

Something I noticed as I went by the hundreds of food and merchandise vendors was how almost all of them took credit card payments. Most from free-standing stands and tiny portable trailors sitting on the grass grounds. From the information provided on the Iowa State Fair site for merchandisers it does not appear that any centralized network is provided for the merchants to access their financial companies (the merchant's "acquirer") for credit card purchases. Given the set-up environment and characteristics across the grounds, that is understandable. I noticed most of the vendors likely were using stand-alone point of sale (POS) devices, with a few still using the somewhat nostalgic hand-swipe manual imprint machines.

The fair is very open, with many, many people all around, often right up next to and sometimes around all sides of the payment areas. Most, and possibly all, are Level 4 merchants under the payment card industry (PCI) data security standard (DSS) definition. Events such as these fairs are held year round.

Huge risks to credit card information exist in these situations; many from just the physical security aspects alone.

Despite the very large numbers of Level 4 merchants, and the very large number of risks that exist for these merchants, PCI DSS "validation requirements and dates are determined by the merchant's acquirer."

While the PCI DSS requires all merchants to perform external network scanning to achieve compliance, most of these very small Level 4 merchants do not have networks; only stand-alone computers they use to attach to their acquirers and also to public networks such as the Internet. Acquirers *may* require submission of scan reports and/or questionnaires by level 4 merchants, however I haven't seen many actually do this.

There is a pretty good document Visa issued late last year, "Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness."

While it certainly does not cover nearly all the risks that exist within exhibition type sales situations, acquirers should ensure their Level 4 merchants receive and understand the information.

In fact, I believe acquirers should be responsible for providing awareness and training to all their merchants about credit card transaction security and PCI DSS; and should be especially vigilant in providing awareness to the Level 4 merchants. Almost all these very small merchants have little to no background or knowledge of information security and privacy issues, but yet a very large number of security incidents and privacy breaches occur as a result of their mishandling or lack of security for credit card information and other personally identifiable information (PII).

Tags:                    
 Email This!  Digg it!  Sphere it!  Del.icio.us  Reddit!  Newsvine

Posted by Rebecca Herold on August 16, 2007 4:54 PM |

TrackBack

TrackBack URL for this entry:
http://www.realtime-itcompliance.com/type/mt-tb.cgi/489

Post a comment

(All comments are approved by site leader before appearing here. Thanks for commenting!)

Search

line

Most Active Posts

line

Library Resources

line
line

Recent Posts

line

Categories

line

Rebecca Herold's Bio:

Rebecca Herold,CISSP, CIPP, CISM, CISA, FLMI, has been providing information security, privacy and regulatory assistance and services to organizations from a wide range of industries for over 18 years. Rebecca was instrumental in building the information security and privacy program while at Principal Financial Group, which was awarded the CSI Information Security Program of the Year Award in 1998. IT Security ranked Rebecca as one of the top 59 IT security influencers, and Computerworld put Rebecca their list of the 25 top privacy experts and on their list of the 9 best privacy consulting firms. Rebecca has been CPO for two consulting organizations, and has had her own information privacy, security and compliance business since 2004. Rebecca has written chapters for several books, dozens of articles, and has been writing a monthly privacy column for the CSI Alert newsletter since the beginning of 2001, and is working on her 11th book. Some of her other books include The Privacy Papers, Managing an Information Security and Privacy Awareness and Training Program, The Definitive Guide to Security Inside the Perimeter (Realtime Publishers), The Shortcut Guide to Improving IT Service Support through ITIL (Realtime Publishers), and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, Rebecca is the leader of The Realtime IT Compliance Community where she posts to her IT Compliance weblog. You can contact Rebecca at: rebecca_herold@realtimepublishers.net.