All posts by Michael Donaghue

What is PCI DSS Compliance?

What is PCI DSS Compliance?

Payment Card Industry Data Security Standards (PCI DSS) are technical and operational requirements set by the PCI Security Standards Council (PCI SSC) to protect cardholder data. The latest update of the standard, known as PCI DSS 3.0, took effect January 1st 2014, but will not require full compliance until the beginning of 2015. Although the PCI Security Standard Council (PCI SSC) manages and administers the PCI DSS it is not tasked with enforcing compliance. This is primarily the duty of the payment card brands and the acquiring banks, along with retailers and small businesses themselves.

The standards apply to all organisations that store, process or transmit cardholder data – with guidance for software developers and manufacturers of applications and devices used in those transactions.

The idea behind PCI DSS Compliance is to ensure that customer’s credit card information is always kept as safe as possible during processing.To learn what your specific compliance requirements are, check with your card brand compliance program:
American Express

The PCI DSS follows common-sense steps that mirror security best practices. There are three steps for adhering to the PCI DSS – which is not a single event, but a continuous, ongoing process. First, Assess — identify cardholder data, take an inventory of your IT assets and business processes for payment card processing, and analyse them for vulnerabilities that could expose cardholder data. Second, Remediate — fix vulnerabilities and do not store cardholder data unless you need it. Third, Report — compile and submit required remediation validation records (if applicable), and submit compliance reports to the acquiring bank and card brands you do business with.

The PCI SSC created 6 control objectives and 12 specific requirements for protecting credit card data. The entire process of PCI DSS Compliance can be quite overwhelming to merchants and it’s for this reason that merchants often look to gain assistance from a Payments Specialist to help them achieve PCI DSS Compliance.

PCI Data Security Standard – High Level Overview

Build and Maintain a Secure Network and Systems 1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data 3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program 5. Protect all systems against malware and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications
Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need to know
8. Identify and authenticate access to system components
9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an Information Security Policy
12. Maintain a policy that addresses information security for all personnel

All major credit card companies have mandated that members, merchants and service providers who store, process or transmit cardholder data must demonstrate how they follow the requirements. Failure to do so may result in fines or termination of credit card processing privileges.

So what’s new with 3.0?

Of the 98 items listed in a summary of PCI DSS 3.0, 74 of them are described as “clarification,” while only 19 are “evolving requirements” and five are “additional guidance.”

One of the most significant additions to the standard is the idea of making compliance a daily event, or business as usual (BAU), instead of an annual audit event. The new section provides “business as usual” guidance for implementing security into business-as-usual (BAU) activities to maintain on-going PCI DSS compliance. Compliance in the past had a tendency to be reactive since it was normally done in order to meet the annual or point-in-time obligation or review.3.0 makes specific recommendations for making PCI DSS part of everyday business processes and best practices for maintaining ongoing PCI DSS compliance.

Outsourcing in general is a guiding theme in the new version, security is a shared responsibility, even if a third party is doing data storage or payment processing so it’s up to both parties to make sure checks are in place.

Specific new requirements in PCI DSS include:

  • Req. 5.1.2 – evaluate evolving malware threats for any systems not considered to be commonly affected
  • Req. 8.2.3 – combined minimum password complexity and strength requirements into one, and increased flexibility for alternatives
  • Req. 8.5.1 – for service providers with remote access to customer premises, use unique authentication credentials for each customer
  • Req. 8.6 – where other authentication mechanisms are used (for example, physical or logical security tokens, smart cards, certificates, etc.) these must be linked to an individual account and ensure only the intended user can gain access
  • Req. 9.3 – control physical access to sensitive areas for onsite personnel, including a process to authorize access, and revoke access immediately upon termination
  • Req. 9.9 – protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution
  • Req. 11.3 and 11.3.4 – implement a methodology for penetration testing; if segmentation is used to isolate the cardholder data environment from other networks, perform penetration tests to verify that the segmentation methods are operational and effective
  • Req. 11.5.1 – implement a process to respond to any alerts generated by the change-detection mechanism
  • Req. 12.8.5 – maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity
  • Req. 12.9 – for service providers, provide the written, agreement/acknowledgment to their customers as specified at requirement 12.8.2

Whilst this may look complex and costly many companies learnt in 2013 that the cost of compliance was far less than the potential cost of fines for noncompliance, which can be tens of thousands of dollars per month, or the cost of a major breach, which easily run into the hundreds of millions, as in the cases of TJX ($256 million), Sony ($171 million), and Heartland Payment Systems ($140 million). Current estimates of the cost of a breach run between $200 and $300 per compromised card, which would mean Target (USA) could be looking at as much as $8 billion on the low end for their breach in late 2013. And that’s not taking into account the lost clientele and headaches for all involved.

Looking at the Ponemon Institute 2013 Costs of Data Breach report, Australia is also experiencing significant losses from cybercrime:

  • The average cost per compromised record is $141 (up from $138 in 2011)
  • The average total organisational cost was $2,720,000 (up from $2,160,000 in 2011)
  • The average notification cost was $88,000 (up from $76,000 in 2011)
  • The average flow-on cost (ex-post) was $810,000 (up from $470,000 in 2011)
  • The average lost business costs was $780,000 (down from $840,000 in 2011)
  • Australia experienced the highest average number of breached records at 34,249.
  • Australia had the second highest detection and escalation cost of $1,400,000 (up from $770,000 in 2011)
  • Australian businesses experienced 2nd highest customer churn rate of 4.0% after a data breach, second only to France.

So if you’re wondering “What is PCI DSS compliance?” — the answer is this. PCI compliance is a means of building customers’ trust and protecting your business against damaging leaks of confidential customer information. Looking after your customers by being PCI compliant will help to ensure continued growth of your business and reinforce goodwill with your customers.

Credit card data discover tools lay the foundation for good data security

Card Holder Data (CHD) discovery tools are becoming essential in identifying none secure sensitive data locations. Since December 2013, a series of data breaches resulting in the loss of over 100 million credit card numbers were reported to occur at some of the largest retailers in the US. And this is only the beginning as cybercriminals target CHD in Australia and overseas.

You can’t expect to adequately protect data if you don’t have knowledge about what data exists, where it resides, its value to the organisation, and who can use it. Finding information within a single database is cumbersome but now multiply that problem across financial, HR, business processing, testing, and decision support databases — and you have a huge challenge. Criminals don’t really care whether they steal data from production servers or POS machines — whichever is easier.

Most businesses think they know what is in their databases but the reality is a significant portion of them are not fully aware of what is in their databases and other network locations. They have been told by programmers, application developers, system and database administrators that there is no credit card data stored in their databases and most companies believe that and continue with their PCI compliance efforts as usual.

However, when you delve a little deeper you will very frequently find CHD in:

  • “Development databases”,
  • “Testing or QA databases”,
  • “Just a backup for that rainy day databases”,
  • “Database dumps and backups”,
  • “Card numbers written to “debug” log files”

and so many unintended stores of card holder data information that are just lost in the cogs of the machine.

Any organisation that needs to be PCI compliant must definitively prove their compliance with standards and practices in place. PCI DSS 3.0 clearly states:

  • Requirement 3 – Protect Stored Cardholder Data
  • Requirement 7 – Restrict Access to Cardholder Data

Now the question is, how can you be sure that you are not violating PCI DSS?

The process of cardholder data discovery is used by organisations to analyse the contents of workstations and servers including memory storage on retail POS systems to verify no credit card details are stored without security. The concept follows a fundamental rule within PCI DSS 3.0 which requires organisations to first understand what credit card data is being stored, remove any data that is not required and then take action to secure the remaining data.

The only real way to be sure there is no CHD lurking around (intended or unintended) in your environment is by a thorough search using a comprehensive software that looks for card data in File Systems (Workstations, Servers, File Shares, NAS, SAN etc) and Databases (SQL Server, Oracle, MySQL, Postgres, Sybase, MS Access etc).

Numerous studies have shown that looking for unencrypted credit card data at rest plays a vital role in protecting customer payment data. Most studies show that it’s not the data in transit that’s the issue. For Requirement 3, of all the breaches reported in the “Verizon 2014 PCI Compliance Report,” not even one involved cardholder data “in transit.” In addition, 82% of organisations suffering a breach did not have Requirement 3 in place.” The price companies’ pay for skimming on data discovery assessments has profound ramifications for their brand, business success and ultimately fatal financial repercussions.

Common risks we see all too often that you should be aware of:

  1. Payment gateways send/receive encrypted information from the merchant server. Due to mis-configured gateways, card data is being dumped in a text or xml file.
  2. Due to the adoption of cloud synchronising technologies like iCloud, Google Drive and etc., payment data stored on the desktop is constantly synchronised with smartphones and tablets extending beyond the perceived corporate perimeter.
  3. Email easily is the number #1 location where card data was discovered on over 80% of endpoints.

Treating card holder data discovery as a priority rather than a luxury can be a huge step to help promote customer data protection and prevent your business becoming yet another data breach headline. However, it is important to be aware that not all card holder assessments are so easily addressed. Card data residing on smartphones, tablets, laptops or other BYOD computing endpoints should not be overlooked. There is so much to consider when looking at card holder data discovery because undiscovered cardholder data jeopardises PCI compliance and is a massive exposure to an organisation. Are you willing to take the risk?

Card data discover tools are essential both at the beginning of a PCI DSS project and post compliance to ensure security and compliance is maintained.

How to survive a data breach

How to survive a data breach

In the past two years, LinkedIn, eHarmony, Twitter, Adobe and, most recently, Target have suffered data breaches that together exposed more than 120 million accounts. Moreover, the companies who fall victim to these breaches always appear the same way: hobbled, slowed down, and completely vulnerable for days and possibly months as their name is splashed across the media. A data breach may be an even bigger calamity to the individuals whose data has been exposed to cybercriminals, to the press and, possibly, to malicious and ill-wishing acquaintances. Identity theft is a growing problem, and one that is inadequately policed. Individuals whose personal and/or financial data has been breached can find that their credit histories are compromised, and may have to spend years and substantial sums clearing their names.

However, perhaps the most disturbing thing about data breaches is that hacking is not new. The movie, Hackers came out in 1995 and their manifesto stated “You may stop me, but you can’t stop us all.” Fast forward 19 years and nothing has changed. Companies know hackers exist, communities know hackers exist, and even Hollywood knows hackers exist. So why are major companies that deal with sensitive data every day, companies that understand the risks and consequences of mishandling cybersecurity, so often left exposed by these breaches?

Those organizations that have a tried and tested procedure in place for dealing with data breaches will not only put themselves in a better position to adhere to the emerging Australian data breach legislation but, more importantly, will enable themselves to win back some respect from the customers whose data has been breached.

How does a Data Breach happen?

Research into the root causes of data breaches and security breaches, gathered from the Verizon State of Software Security Report, reveals three main types of data breach causes:

  • Benevolent insiders
  • Targeted attacks
  • Malicious insiders

In many cases, breaches are caused by a combination of these factors. For example, targeted attacks are often enabled inadvertently by well-meaning insiders who fail to comply with data or security policies, which can lead to a data breach.

However the breach occurs, there are three important elements to surviving a data breach:

  1. Assessment and containment
  2. Notification of breach
  3. Evaluation and response

Assessment and containment

Data security breaches will require not just an initial response to assess and contain the situation but also a recovery plan including, where necessary, damage limitation. This will often involve input from specialists across the business such as IT, HR and legal and, in some cases, contact with external stakeholders and suppliers.

Consider the following:

  • Decide on who should take the lead on investigating the breach and ensure they have the appropriate resources.
  • Establish who needs to be made aware of the breach and inform them of what they are expected to do to assist in the containment exercise. This could be isolating or closing a compromised section of the network, finding a lost piece of equipment or simply changing the access codes at the front door.
  • Establish whether there is anything you can do to recover any losses and limit the damage the breach can cause. As well as the physical recovery of equipment, this could involve the use of backupsystems to restore lost or damaged data or ensuring that staff recognise when someone tries to use stolen data to access accounts.
  • Where appropriate, inform the police.

Assessing the risks

Some data security breaches will not lead to risks beyond possible inconvenience to those who need the data to do their job. An example might be where a laptop is irreparably damaged but its files were backed up and can be recovered, albeit at some cost to the business. While these types of incidents can still have significant consequences, the risks are very different from those posed by the theft of sensitive credit card holder data

The most important is an assessment of potential adverse consequences for individuals, how serious or substantial these are and how likely they are to happen. The following points are also likely to be helpful in making this assessment:

  • What type of data is involved?
  • How sensitive is it?
  • What has happened to the data?
  • If data has been lost or stolen, are there any protections in place such as encryption?
  • Regardless of what has happened to the data, what could the data tell a third party about the individual?
  • How many individuals’ personal data are affected by the breach?
  • Who are the individuals whose data has been breached? Are they staff, customers, clients or suppliers
  • What harm can come to those individuals?
  • Are there wider consequences to consider such as a risk to public health or loss of public confidence, or trust, in an important service you provide?

Notification of breaches

Agencies and organisations have obligations under the Privacy Act 1988 (Cth) to put in place reasonable security safeguards and to take reasonable steps to protect the personal information that they hold from loss and from unauthorised access, use, modification or disclosure, or other misuse. Depending on the circumstances, those reasonable steps may include the preparation and implementation of a data breach policy and response plan that includes consideration of whether to notify affected individuals and the Office of the Australian Information Commission (OAIC). In general, if there is a real risk of serious harm as a result of a data breach, the affected individuals and the OAIC should be notified.

However, informing people about a breach is not an end in itself. Notification should have a clear purpose, whether this is to enable individuals who may have been affected to take steps to protect themselves or to allow the appropriate regulatory bodies to perform their functions, provide advice and deal with complaints.

There are a number of different ways to notify those affected so consider using the most appropriate one. Always bear in mind the security of the medium as well as the urgency of the situation

  • Your notification should at the very least include a description of how and when the breach occurred and what data was involved
  • When notifying individuals give specific and clear advice on the steps they can take to protect themselves and also what you are willing to do to help them
  • Provide a way in which they can contact you for further information or to ask you questions about what has occurred – this could be a helpline number or a web page, for example.
  • You might also need to consider notifying third parties such as the police, insurers, professional bodies, bank or credit card companies who can assist in reducing the risk of financial loss to individuals.

Evaluation and response

It is important not only to investigate the causes of the breach but also to evaluate the effectiveness of your response to it. If the breach was caused, even in part, by systemic and ongoing problems, then simply containing the breach and continuing ‘business as usual’ is clearly not acceptable. Similarly, if your response was hampered by inadequate policies or a lack of a clear allocation of responsibility then it is important to review and update these policies and lines of responsibility in the light of experience.

You may find that existing procedures could lead to another breach and you will need to identify where improvements can be made. The following points are worth considering:

  • Make sure you know what personal data is held and where and how it is stored. Dealing with a data security breach is much easier if you know which data are involved unfortunately in the case of credit cards it can be stored in many places within an organisation and hard to find. In cases like this a credit card discovery tool is a powerful remediation device.
  • Establish where the biggest risks lie. For example, how much sensitive personal data do you hold? Do you store data across the business or is it concentrated in one location?
  • Risks will arise when sharing with or disclosing to others. You should make sure not only that the method of transmission is secure but also that you only share or disclose the minimum amount of data necessary. By doing this, even if a breach occurs, the risks are reduced. Network Security Management tools and tokenisation reduce the risk substantially here.
  • Identify weak points in your existing security measures. For example, the use of portable storage devices, public access to private networks when offering free Wi Fi, mobile payments, unsecured POS devices, and BYOD all increase the risk.
  • Monitor staff awareness of security issues and look to fill any gaps through training or tailored advice.
  • Consider whether you need to establish a group of technical and non-technical staff to discuss ‘what if’ scenarios this would highlight risks and weaknesses as well as giving staff at different levels the opportunity to suggest solutions.
  • If your organisation already has a Business Continuity Plan for dealing with serious incidents, consider implementing a similar plan for data security breaches.

There is no one size fits all remedy to surviving a data breach but common themes apply to most breach scenarios. Identifying a group of people responsible for reacting to reported breaches of security is a great start and having a security technology partner to work side by side with them may be the difference between just surviving or thriving.

Cost of data breach report (with Australian Statistics)

Ponemon Institute 2013 Cost of Data Breach report

The 2013 Cost of Data Breach report published by the Ponemon Institute (sponsored by Symantec) reveals some interesting and valuable insight into the real-life cost when a data breach occurs.

The 2013 Cost of Data Breach Study: Global Analysis is based on the actual data breach experiences of 277 companies around the globe and takes into account a wide range of direct and indirect business costs. Country reports are available for the United States, United Kingdom, France, Germany, Italy, India, Japan, Australia, and Brazil (new).

To save you time, we have highlighted the key statistics for Australia.

Australia (amounts shown in AUD)

  • The average cost per compromised record is $141 (up from $138 in 2011)
  • The average total organisational cost was $2,720,000 (up from $2,160,000 in 2011)
  • The average notification cost was $88,000 (up from $76,000 in 2011)
  • The average flow-on cost (ex-post) was $810,000 (up from $470,000 in 2011)
  • The average lost business costs was $780,000 (down from $840,000 in 2011)
  • Australia experienced the highest average number of breached records at 34,249.
  • Australia had the second highest detection and escalation cost of $1,400,000 (up from $770,000 in 2011)
  • Australian businesses experienced second highest customer churn rate of 4.0% after a data breach, second only to France.

The complete Australia report is located here

Global Summary

The full global report is located here

How this restaurant protected their patrons and themselves from hackers

The hospitality industry is fast paced and highly competitive, with tight profit margins. Effective use of technology, from initial deployments to ongoing support, impacts customer satisfaction as well as the bottom line.

While the food and drink keep the guests satisfied their overall experience is also dependent on the infrastructure of the venue, everything from the lighting and atmosphere to the Information Technology (IT), information security and payment systems. In addition to which the hospitality industry needs to protect itself from the rising wave of cybercrime.

The 2013 Trustwave Global Security Reporthighlighted that Australia is now the second largest target for cybercriminals and that retail, food & beverage and hospitality represent the three most compromised industries.

Let’s look at how an efficient system can pay dividends for a smart venue owner by lowering costs while improving customer service, staff productivity and security.

A typical IT system in a hospitality venue might be set up as follows:

  • Three payment terminals (two behind the bar, one in the dining area)
  • Three phone lines for the payment terminals to connect to the bank
  • A third phone line for another payment terminal with a shared connection to a telephone for reservations or customer enquiries
  • One broadband Internet connection for the back office computers, used for ordering and accounting.

This scenario merits some consideration. It’s a complex system that was set up with the intention of making things easy.

Unfortunately, multiple devices sharing lines are complicating matters, and preventing the venue from getting the full value out of its IT system.

It’s too much of everything: too much complexity, too many shared connections, and most importantly for the venue owner, too much money.

The three phone lines for the payment terminals to connect to the bank aren’t efficient, and are actually a hidden cost to the business. Margins in the service industry can be razor thin, and driving down costs is an imperative for any business owner.

What’s the alternative?

A MerchantSecure Network Security, Management & Productivity Solution could be set up. MerchantSecure is a fully managed network security and compliance service, allowing businesses to focus their attention on their day-to-day operations. Using the MerchantSecure Network Security, Management & Productivity service, all the site’s devices can be connected through a single appliance connected directly via secure public broadband, that’s easier, faster, and cheaper to administer.

It binds together all the disparate elements into one integrated system that works together to help the business run efficiently. By removing all but one phone line and taking advantage of an Internet-based IP system with a network security appliance, the connection speed improves so card transactions sail through in seconds.

The venue can eliminate the multiple phone lines and instead use just one Internet connection. In addition to which the MerchantSecure appliance has an inbuilt 3G back up facility to ensure business processes can continue uninterrupted even when fixed lines go down.

What’s more, the MerchantSecure service keeps sensitive information such as cardholder data separated from the rest of the computer system, so that the venue meets new security measures to protect customer card information called the Payment Card Industry Data Security Standards (PCI DSS).

The MerchantSecure appliance has an option to provide secure wireless (Wi-Fi) Internet access – a great value add-on that can enhance guest experience and encourage longer stays in the dining area. The system also incorporates monitoring, so management knows what sites are accessed, when, by whom and for how long. This is known as the Guardian Content Filtering feature and it permits blocked or restricted Internet access through customisable settings and an easy to use interface. This not only provides an appropriate customer experience it can also be configured to improve staff productivity by restricting staff access to non-work related sites during working hours, while restricting access to web sites which may harbour dangerous malware.

MerchantSecure units are administered over the Internet through a Central Management System (CMS), so network configurations and settings can be remotely adjusted from anywhere, anytime. This means that if a technical issue should arise, it can be dealt with remotely without the need for an on-site technician. MerchantSecure network appliances are plug-and-play, so non-technical staff can connect and set up the basic functionality without the need for a costly onsite engineers.

In short, it’s a simpler system that reduces costs, improves payment processing response times, increases security and staff productivity while improving the customer experience – padding the bottom line of the venue owner.

Upgrading to a service such as MerchantSecure can increase customer satisfaction, reduce costs, secure the business infrastructure, increase staff productivity, foster a better working environment and broaden service options. It’s a compelling opportunity for hospitality businesses and a great way to get the edge over the competition.

What every retailer should know about in-store network security

When it comes to shopping, today’s consumers are in control, with more choices and more options than ever before. As a result, it is no longer enough to offer a good selection of merchandise at attractive prices, you need to create the ultimate customer experience. At the same time as enhancing the customer’s shopping experience you need ways to increase productivity and drive sales if you want to stay ahead of the competition.

The customer experience relies heavily on the systems in place behind the scenes. Inventory control needs to ensure a suitable selection of products is in each store, financial data needs to be pooled together across locations. The payment system needs to be fast and efficient and it’s imperative for retailers that their Information Technology (IT) systems are secure.

Let’s take a look at how an IT system might be set up for a chain of three retail stores, selling clothing in separate locations.

  • Three store locations, geographically dispersed across the country
  • One payment terminal per location
  • One dial-up connection per store for the payment terminals to the payment processor
  • One telephone per store for customer enquiries
  • One central inventory and accounting system, independent of the stores

There are several considerations in this scenario, principally around communication. Each store has one payment terminal used for customer transactions that connects to a payment processing company through a dial-up phone line. That same phone line is shared with the store’s sole telephone, meaning that while transactions are being processed, the phone line is busy. Conversely, when the phone line is in use, customer transactions can’ t be processed.

The phone lines are complicating matters, and using a dial-up connection to get an authorisation means payments can be slow. Also, consider that these store locations are acting as independent businesses rather than cooperating to deliver value as a unit. The three locations could be connected for collaboration, information sharing and inventory tracking to improve overall operations. And what about the customer experience? Is their customer information securely protected? Would the stores attract more business if they offered Wi-Fi access for customers?

What if there was a faster and cheaper way for the payment terminals to communicate with the payment processor, while still permitting the phone lines to be used freely?

The first step is to switch the payment terminal network from phone lines to an Internet-based IP system complemented by the MerchantSecure Network Security, Management & Productivity Solution. The MerchantSecure solution securely links the payment terminals, computers and store locations into one integrated system that works together as a unit to help the business run more effectively.

For example, each store now has separate Internet connections and phone lines, permitting both to be used at the same time. When stores need to add additional payment lines during busy times, like during the Christmas shopping season, expanding is as easy as plugging in an extra terminal to the Internet connection and authorising it in the central management system.

MerchantSecure can create secure Virtual Private Networks (VPN) between store locations in a matter of minutes enabling the central inventory and accounting system to safely share information about stock levels, purchases and customer data ensuring that each location has stock, while ensuring sensitive information is protected.

If stores want to provide Wi-Fi access for customers, they can do so securely and easily. The MerchantSecure appliance has an option to provide secure wireless Internet access that incorporates monitoring, so stores know what websites are accessed, when, by whom and for how long. The inbuilt guardian content filtering module can also be used to limit staff access to sites which may distract them from their work while also protecting the business from malware and malicious code.

Should a store need technical assistance, offsite technical support personnel can log on remotely to the Central Management System (CMS) to diagnose and troubleshoot issues. This alleviates the need for a site visit from a technician, or for the retail staff to have any degree of technical expertise. This improves system reliability while driving operating costs down. In addition to which the 3G back up capability will ensure sales and operations can continue as normal even when the internet is down.

But perhaps one of the most compelling reasons for the retail chain to have a MerchantSecure service is to reduce credit card fraud. Australia has attempted to lower fraud rates in the country by mandating chip-and-PIN (EMV) card technology. MerchantSecure locks down the payment network against network tampering, including terminal replacement or external hackers. It’s a true plug-and-play solution that helps businesses comply with Payment Card Industry Data Security Standards (PCI DSS).

The service not only protects your business from external threats it can ensure your network is 100% PCI security compliant. Upgrading to a service such as MerchantSecure can increase customer satisfaction, reduce costs, secure the business infrastructure, increase staff productivity, foster a better working environment and broaden service options. It’s a compelling opportunity for retail businesses and a great way to get the edge over the competition.

The benefits of mandatory data breach notification laws in Australia

Mandatory data breach notification laws would result in greater security for Australians and improved protection of their sensitiveinformation. And it’s what Australian consumers want. Public concern about data breaches, online privacy and identity fraud is on the rise and Australians are taking cyber security seriously.

According to the Unisys Security Index conducted by Newspoll, public concerns have hit their highest level in five years. In Australia, the overall index increased 19 points to 129 over the previous year, with increases in all types of security concerns tracked. The 2013 TrustWave Global Security report highlighted that Australia is the second largest target for cybercriminals, second only to the United States. So the question is why we wouldn’tmake data breach notification mandatory, when it’s what the Australian public want, it’stheir businesses and their data that we ultimately wish to protect.

A mandatory data breach notification law will encourage businesses to protect themselves from significant financial losses and the silent epidemic affecting companies in Australia, Europe and the United States.Since 2008, companies have been encouraged to comply with the OAIC’s voluntary guide on data breach notification, whereby affected individuals and the OAIC should be notified where there is a “risk of serious harm resulting from a data breach.”

In theory, businesses should already have policies and procedures in place to ensure the information they hold is protected from data breach attacks, including notification where there is a risk of serious harm to affected individuals. In practice,however the data paints an entirely different story, the occurrence and costs of cybercrime continues to grow significantly, while the number of events reported has actually declined.

So the next question is, if companies are supposed to have policies and procedures in place to inform clients of incidents why not make it mandatory? This will ensure our personal information is protected by all and not just by a few.

Opponents to the data breach notification law are sighting spurious arguments against proposed data breach notification laws, somehow believing that sticking our heads in the sand against a wave of data crime will somehow facilitate innovation and protection. Blocking the much needed law won’t stimulate innovation or result in increased protection of our sensitive financial information, it will do the opposite.

Why is it that our banks mandate that the minute we find out our credit cards have been lost or stolen we must notify the bank immediately to avoid the risk of financial damage, while a company that losses my credit card data or lets it get into the hands of cybercriminals does not have the same obligation? Companies that do not tell me about a breach in essence are stopping me from notifying my bank promptly by withholding the information, and it’s my money and personal identity that’s at risk. In essence by withholding the breach they are assisting the criminals.

Other arguments against the law are equally weak: one being that the privacy commissioner doesn’t have the resources to investigate each case. Does that mean speeding laws shouldn’t be in place because the police can’t be everywhere prosecuting every driver throughout Australia, of course not. It’s about setting standards and encouraging good practice, to protect us all.

The act would encourage businesses to protect themselves from the growing wave of cybercrime, protecting their brand, their customers and themselves from financial loss, this will stimulate innovation and security initiatives. Securing a business does incur costs of course but not protecting your business appropriately could cost you your clients, your reputation and ultimately your business.

The global landscape is changing and changing fast and it’s the Australian government’s responsibility to educate and encourage protection in these changing times. The extent of this threat is highlighted by Interpol’sPresident when he stated that organised international gangs are behind most Internet scams and that cybercrime’s estimated cost is more than that of cocaine, heroin and marijuana trafficking put together.

Consumers have a right to be informed when their personal data has been lost or stolen. Mandatory notification would be a clear benefit to all Australians – both by providing consumers with information about organisations with poor data breach histories and by providing an incentive for organisations to improve their data handling practices.

The fact that consumers are not being notified when their data is stolen is unacceptable. It also points to the fact that currently, we just don’t know how many breaches there are, how big they are and who they’re affecting. Consumers can’t be sure what’s happening to their information and they have a right to know.

Thanks to the media and research institutes, here are just a few examples that made it into the public domain:

  • In 2013 38 Million Adobe customers affected
  • In 2013 70 Million Target customers were impacted by malware attacks on POS devices
  • In 2013, almost 10,000 Telstra customer records were made public on the Internet, in circumstances similar to the 2011 incident.
  • In 2013 access to usernames, e-mail addresses, session tokens and encrypted/salted versions of passwords for 250,000 Twitter accounts.
  • Ponemon Institute Cost of Cybercrime study (2012) indicated that the cost of cybercrime to studied Australian companies was over three million dollars.
  • In 2012, AAPT’s servers were attacked by the group “Anonymous”.
  • In late 2011, over 700,000 Telstra customer records were made publicly accessible over the internet.
  • In early 2011, the Sony PlayStation Network was compromised, with approximately 77 million customers affected worldwide.
  • In late 2010, a mailing list error resulted in 220,000 letters with incorrect mailing addresses being mailed to Telstra customers.
  • In 2009, a design flaw resulted in the online chat transcripts of a depression counselling service being made publicly accessible.

What franchisors can do to protect themselves against cybercrime

The franchise business model is a proven winner. With an attractive, established business others can buy into, a strong brand, and efficient management, the only limit to a franchise’s success is its ability to deploy new locations and expand into new regions.

While expansion is a sign of success, one of the other keys is uniformity across locations. That way, customers know what to expect every time they visit a franchise business, whether that’s a burger that tastes the same across town as it does across the country, or a standard of customer service that can be relied upon.

Consistency across operations also benefits management; the more consistent the locations, the easier they are to manage and operate. That’s particularly true for the IT franchise systems.

Let’s look at how a typical largescale franchise restaurant might set up its IT system:

  • Three payment terminals out front
  • Two back office PCs for accounting, inventory and ordering
  • A Wi-Fi access point providing customer Internet access
  • A router connecting the payment terminals and back office PCs to a Multi-Protocol Label Switched (MPLS) network
  • A second router connecting the restaurant Wi-Fi access point to the Internet

While this setup can work for a franchise chain with a moderate degree of success, there are some drawbacks.

Using a MPLS network keeps the computer network separated from the wider Internet, increasing privacy and keeping sensitive traffic away from potential security threats and intrusions. But because of the way data is exchanged over the MPLS network, information is typically not encrypted, which has serious implications for sensitive information like credit cardholder details.

The Wi-Fi Internet connection is run wholly independent of the restaurant connection, and can be difficult to manage and administer. There’s likely little control over what sites are visited , what can be downloaded, or how long a connection is permitted. That Wi-Fi connection costs the franchise money, so it’s logical to get control and manage or reduce those costs.

If the restaurant network requires any technical support, the telecommunications company will have to be contacted and may need to send a technician for a site visit to troubleshoot and manage any changes to the sensitive MPLS connection. It’s not friendly to the nontechnical users at the store locations, and could leave a store crippled if even a simple problem arises.

Moreover, the MPLS network comes with a significant monthly cost for each location. If a franchise expands exponentially, so will the costs to maintain that MPLS network connection. The MPLS network is constrained by geography; each site needs to be within reach of the MPLS network provider’s service. That means that if it’s provided by the local telecommunications company, it may restrict the franchise from expanding overseas.

There’s an alternative way of building this network to incorporate the same functionality, while addressing some of the high cost and technical issues associated with private networks.

MerchantSecure is a fully-managed network security and compliance service, allowing franchises to focus their attention on their day-to-day business operations. Using the MerchantSecure Network Security, Management and Productivity service, all the site’s devices can be connected through an appliance connected directly via secure public broadband, that’s easier, faster, and cheaper to administer.

The payment terminals and back office PCs can connect to head office through an appliance that also provides Wi-Fi Internet access to restaurant guests, all while maintaining a secure network that meets obligations from the credit card companies known as the Payment Card Industry Data Security Standards (PCI DSS).

MerchantSecure provides complete visibility and control of network traffic and activity, ensuring that use is limited to a predetermined set of rules or criteria.

Rather than connect back to the head office through the MPLS network, the MerchantSecure service connects via the broader Internet and a Virtual Private Network (VPN). Since Internet access is available almost everywhere, this option also addresses the geographical obstacles of the MPLS network solution. As such the MerchantSecure service is not restricted by geography or ISP.

MerchantSecure appliances are administered over the Internet through a Central Management System (CMS), so network configurations and settings can be remotely adjusted from anywhere, anytime. This means that if a technical issue should arise, it can be dealt with remotely without the need for an on-site technician. MerchantSecure network appliances are plug-and-play, so non-technical staff can connect and set up the basic functionality without the need for a PCI DSS-certified technician.

MerchantSecure works with any Internet Service Provider, making for a truly flexible system. For franchise businesses that quickly expand, this means that the network is easily scalable; simply by plugging in an appliance they are able to bring new locations onto the corporate network and manage all configuration from one central location, providing global reach and limitless possibilities for growth.

Without the MPLS network, monthly network costs are substantially reduced and overall operations are streamlined, all while meeting the stringent PCI DSS security guidelines. Upgrading to a service such as MerchantSecure can increase customer satisfaction, reduce costs, secure the business infrastructure, increase staff productivity, foster a better working environment and broaden service options. It’s a compelling opportunity for franchise businesses and a great way to get the edge over the competition.