PCI Compliance has (to me) seemed like a pretty big boogeyman over the years. Like a method for credit card processors to enact higher rates on businesses who aren’t following very specific and esoteric rules for data encyrption. Data security is vital in business, especially when it’s customer data like credit cards and addresses and such. But a lot of the rules always felt like overkill.
After hearing about a restaurant chain in Boston being fined $110,000 for a data breach, I can see why PCI Compliance is going to be more and more important. The business in question had malicious software unknowingly installed onto one of their PC’s, giving a third party access to credit and debit card info. The software wasn’t detected for 8 months, including the holiday season, so a lot of customer data could have been lifted.
Massachusetts has one of the strictest data breach policies in the country, as well as the most difficult to spell name, but it doesn’t take away the fact that this business could’ve taken meager steps to eliminate this problem. Antivirus/Antimalware software could have probably caught this issue quickly, but an even better step would be to limit employee access to the web on payment terminals. If they can’t connect to malicious sites, they can’t download malicious code. And if it comes from someone installing software from portable media, you have a bigger issue at your business than PCI Compliance.
However, if your merchant account provider can swing it, a really easy way to secure customer credit and debit data is to get an encrypted credit card reader, like MagTek’s Centurion. The reader is programmed by your credit card processor and uses hardware in the device itself to encrypt card data, which is decrypted by the processor upstream. So now even if your computer is festooned with malware, viruses, trojans, and every other piece of horrific software, all they can get is gibberish. Hard to commit fraud with gibberish.

%d bloggers like this: