Fraud and identity theft are on the rise. The Federal Trade Commission received more than 1.1 million complaints of fraud and identity theft in 2013, totaling more than $1.6 billion in stolen assets. The vast majority of these cases stem from data breaches associated with credit cards.
The credit card industry, led by Visa and MasterCard, developed the PCI Security Standards Council in 2005 to set security standards that include requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This Payment Card Industry (PCI) Data Security Standard (DSS) was launched in 2005 and was revised in November 2013 to meet the needs of securing the credit card industry's changing environment. This standard provides a comprehensive set of requirements for enhancing payment-account data security.
Today, companies (including health clubs) that are affected by the PCI standard are required to conduct a variety of validation activities, including quarterly vulnerability scans, a self-assessment questionnaire or an onsite review by an independent third-party qualified security assessor, depending on the number and types of transactions conducted by the companies. Addressing PCI compliance is not just a matter of avoiding noncompliance fines; it is about good business: reducing risk, enabling delivery of services over an increasing range of customer channels and maintaining the trust of customers and business partners.
Benefits of PCI Compliance
Although some companies may complain about the requirements for PCI compliance, organizations that have implemented the guidelines have realized the benefits that compliance can provide. In addition to creating a trustworthy reputation, customers will be more confident in doing business with these companies.
PCI standards help lower the risk of a group becoming a victim of a data breach. These instances can be embarrassing and costly for an establishment, as each incident can result in fines as much as $500,000 per month. The first step in becoming a PCI-compliant organization is for administrators to investigate the requirements in place for their business. Standards can vary depending on what payment card content is dealt with, so it is in the executive decision-makers' best interest to do their homework.
The Payment Card Industry Council requires implementing encryption of cardholder data in transmission. This can be achieved using an SSL certificate, which provides the optimum level of website security. In this way, transactions completed over online portals have the best-in-class protection against threats.
The PCI standard accounts for different transaction volumes, payment channels and level of exposure across companies. The PCI standard lays out 12 specific security areas of responsibility with which companies must comply. These areas are:
- Install and maintain a firewall configuration to protect cardholder data.
- Do not use vendor-supplied defaults for passwords and other security parameters.
- Protect stored cardholder data.
- Encrypt transmission of cardholder data across open, public networks.
- Protect all systems against malware and regularly update anti-virus software or programs.
- Develop and maintain secure systems and applications.
- Restrict access to cardholder data by business need-to-know.
- Identify and authenticate access to system components.
- Restrict physical access to cardholder data.
- Track and monitor all access to network resources and cardholder data.
- Regularly test security systems and processes.
- Maintain a policy that addresses information security.
To most IT/security professionals, many of these regulations seem like straightforward common sense. However, many organizations have trouble complying. Most data breaches occur when a merchant or service provider stores sensitive information on a card's magnetic stripe in violation of the PCI standard. This makes compliance critically important to your enterprise.
Although PCI DSS certainly is comprehensive, the list of 12 areas of responsibilities leaves 12 possible points of failure. Fail one requirement and you fail them all. This all-or-nothing approach is both a curse and a blessing. The benefit: Enforcing compliance with each of the 12 areas of responsibilities ensures the most secure possible transmission of data. The pitfall: Total compliance with the standard can take time and resources to achieve, especially for smaller companies.
The way the standard works now, a merchant or service provider that satisfies 99 percent of the requirements would still receive a failing grade. With this in mind, many experts predict a significant number of organizations may in fact never comply.
To prove compliance, payment card organizations require the use of qualified data security companies (QDSCs) to perform an onsite audit review. MasterCard and Visa have established a certification program for vendors to become QDSCs, as well as a program authorizing companies to provide qualified scanning services. These two credit card companies also offer certification programs that train qualified data security practitioners (QDSPs) who perform testing and other security work.
These organizations often offer additional value-added services, such as best-practice security assessments, compliance-readiness reviews, system deployment and training, systems integration, and other security and network-related services. In many cases, health club businesses also can help themselves by purchasing sophisticated security equipment, configuring it to minimize risk and implementing a host of policies and procedures that comply with the latest data security standards.
Content Sponsored by ABC Financial.
ABC Financial leads the health and fitness industry in software and payment processing solutions. We have one goal: to maximize our clients' revenue. Our industry knowledge and innovation reflect our 33 years of experience. Today, we are the choice of more than 4,800 North American health clubs. Our DataTrak health club management software reflects our dedication to cutting-edge technology in its speed, comprehensiveness, innovation, and security. We are constantly enhancing our software as a part of our commitment to unparalleled service and to our clients' bottom line.