Page 18 - GS180702
P. 18
Views
The very point of sale does not violate the Payment Card Industry Data Security
Standard (PCI DSS). It's what happens afterward that
determines whether the merchant is complying with PCI
DSS guidelines.
"Merchants want to be friendly and allow their customers
to take a pillow home," said Matthew Halbleib, audit
director at SecurityMetrics. "They need to design a process
If you see something, that allows employees to do this." Halbleib pointed out
that PCI DSS version 3.2.3 disallows storing "sensitive
authentication data," which the PCI Security Standards
speak up Council defines as post-authorization card data.
By Dale S. Laszig, "Sensitive authentication data must not be stored after
authorization, even if encrypted," states page 8 of the PCI
DSL Direct LLC DSS 3.2.3 manual, published in May 2018. "This applies
even where there is no PAN [primary account number] in
ost of us would like to leave our jobs behind the environment."
when on vacation, but that's not easy for pay- Physical and virtual security
ment pros. Every time we walk into a store,
M open a mobile app or shop online, we're Chris Bucolo, director of market strategy at ControlScan
reminded of our industry. These reminders can be exciting Inc., said there are understandably many concerns about
or cringeworthy, depending on the circumstances. Here the more technical aspects of PCI and data security, but
are some examples (I'm sure you can think of many more): in reality, many PCI DSS requirements are procedural
in nature, and payment pros do not need IT knowledge
• Exciting: to see checkout evolve from three acts to understand and address them. Physical security and
(payment presentment, authorization and close) to procedures are just as important as those relating to the
one act. When we exit an Uber or Amazon Go store, network and electronic processing aspects, he noted. The
payments magically happen. key is to weigh convenience issues with security risks
• Cringeworthy: to see noncompliant equipment in and look for ways to protect customers while delivering a
a checkout lane. EMV (Europay, Mastercard and seamless, enjoyable customer experience.
Visa) guidelines became effective in 2015, making
merchants without chip card readers 100 percent Referring to the salesperson's offer recounted above, Bucolo
liable for a security breach. added, "The practice the sales associate described may not
have sounded so concerning had she said, 'We have a very
• Exciting: to see available points, cash, rewards, clear and strict policy/procedure we follow internally,' and
coupons and credit cards on a checkout screen and offered more details about how the store protects the data."
be able to pay in any combination. These options are He provided the following examples:
widely available on mobile wallets and ecommerce
sites. • We protect the data by keeping it locked in a special
fireproof cabinet that is also behind a locked door.
• Cringeworthy: to be asked for multiple forms of Only a few key people have access.
identification while people fuss and fidget behind
us in the checkout queue, because the merchant • When you return the item we go in that cabinet
doesn't use available technologies to securely and retrieve the receipt the same day, and we use a
authenticate users in seconds. cross-cut shredder to destroy any evidence of a card
number.
The pillow case
• We do not allow the information to be recorded or
Last year, a sales associate at a furniture store offered to lend kept anywhere else.
me a pillow. She said, "I'll write your credit card number on
this receipt and bill you if you don't bring it back." When • If the consumer does not return the item, we pro-
I expressed concern about exposing my credit card data, cess a card transaction on our system and then fol-
she offered to tear up the receipt or give it back when I low the same destruction procedure for the receipt.
returned the pillow. The following day, as promised, she Follow the (card) flow
retrieved the receipt from a locked safe behind a service
counter and returned it to me. Halbleib said companies need to define their cardholder
data environments, first by identifying all the places where
In subsequent discussions with security analysts, I learned data flows, then by applying controls around those card
that writing a credit card number on a piece of paper
18
