Dotting the I’s and Crossing the T’s:
How to Keep Data Safe in the Era of
Singer and cultural phenomenon Lady Gaga might have said it best when she quipped, “Trust is like a mirror. You can fix it if it’s broken, but you can still see the crack in [its] reflection.”
People put a lot of trust in those they choose to associate with. From their friends and families to the companies they do business with daily, there is a certain level of risk any time personal information is given out.
Will the person they told an embarrassing secret to share it with everyone they know? Hopefully not! But what about the credit card information they gave the restaurant they went to for lunch? Is the information they’re sharing with that concept, including personal data and credit card numbers, protected?
The risk of losing customer trust is a very real problem that can sandbag businesses, tarnish their reputations and cost them millions of dollars per attack.
According to IBM’s Data Breach Report, the average breach costs a business just under $4 million and impacts the data of more than 25,000 records.
In the restaurant industry, the list of brands that have been hit by cyber-attacks includes heavy-hitters like Checkers and Rally’s, Applebee’s, Dunkin’ and Panera Bread… and that’s just since 2018. Unfortunately, while brands like these can pick up the pieces and quickly move on despite a somewhat bruised image, for smaller concepts the damages can be much more severe.
PCI DSS, PA-DSS, and EMV, which are industry standards, and SOC 1 and SOC 2, which are audit and attestation standards, are in place to protect merchants, guests, and issuers from increased risk and liability in the case of a data breach or accidental release of information. These constantly evolving standards cover not just guests and merchants, but processors and issuers as well.
What’s at Stake?
According to PCI Pal, an estimated 44% of Americans say they’ve been caught up in a security breach. Even further, about half of Americans included in the PCI Pal survey said they’d feel more at ease if companies underwent regular audits and added verification systems.
Following several large-scale security breaches, including Facebook, Marriott, and Equifax, customers and industries alike are keeping a closer eye on compliance structures and doing their best to ensure data is protected at all costs.
Unfortunately, breaches are a common occurrence and one that customers take incredibly seriously. PCI Pal’s data suggests that 4-out-of-5 U.S. consumers will alter their spending based on how much they trust a company. Close to 90% of U.S. consumers say they can’t trust their information is being protected by companies. For businesses that don’t follow EMV, PCI DSS, PA-DSS, and SOC 1 and 2 standards, the risk far outweighs any benefits they might receive.
When a hacker steals financial and personal information, a business doesn’t just pay a fine and walk away from the incident. Not only do they lose money because of fines, penalties, and legal fees, they lose out on future revenue down the road because customers can’t trust where their information is going or whose hands it will end up in.
A breach is also likely to hurt a company’s goodwill, which is essentially a monetary value associated with a brand’s name, reputation, customer base, and its relations with employees and customers. Although the value of goodwill is not easily defined, it is calculated on top of a company’s current net worth. Following an attack, a brand’s goodwill will likely take a hit, lowering its current value and tarnishing its image for some time.
Down the line, those brands may also face higher costs to ensure compliance due to heightened scrutiny from auditors, lose the ability to accept card payments or even go out of business entirely because of financial stress.
It makes sense, though. Let’s say you got pickpocketed the last time you went to the park by your house. Most likely, you’re going to think twice before going back to that park. It works the same way when customers consider what companies they do business with. For some people, they may wait a few months before going back, but for others, the lack of safety and trust will prevent them from ever returning.
Compliance comes in several forms, but all share a similar bond of protecting customer data. Some are external auditing practices that businesses use to verify their controls (SOC 1 and SOC 2), while others ensure data is always safe (PA-DSS and PCI DSS). Payment cards themselves are also taking data protection seriously, with many card issuers in the U.S. making EMV a compliance standard in late 2015.
Each type of compliance performs a different function, but all provide operators and guests with an unparalleled level of protection when combined as part of a full suite of cybersecurity initiatives.
PA-DSS and PCI DSS: What to Know
PA-DSS, also known as the Payment Application Data Security Standard, and PCI DSS, the Payment Card Industry Data Security Standard, are rules put into place by the Payment Card Industry Security Standards Council. While the two acronyms look similar, they cover two different parts of the payment process.
PA-DSS procedures and compliance standards are associated with applications, and vendors must ensure their software meets 14 strict standards. Among them are protecting stored cardholder data, making sure card verification codes aren’t saved, performing proper testing to prevent vulnerabilities from occurring, making sure cardholder data is never stored on internet-connected servers, and several other requirements. Employee training and other internal policy programs also fall under PA-DSS guidelines.
So, why does it matter if an application has PA-DSS certifications? Achieving and exceeding those standards shows that a business is adhering to stricter standards than those without the designation. For customers, it means they can choose to work with vendors and vendor software that will keep their data safe and always properly handle their credit card data.
For those unfamiliar with PCI DSS, the standards were developed in the early 2000s to help address and combat cases of theft and fraud happening online. Shoppers were eager to take advantage of eCommerce, but online shopping and payments also became a prime target of hackers and others hoping to capture valuable credit card information.
In December 2004, the five major credit card leaders, including Visa, Mastercard, American Express, Discover Financial Services, and JCB International, introduced the very first version of PCI DSS and began holding merchants accountable to the new standards.
“PCI DSS are standards for data security and system operation issued by the payment card industry, so the big credit card issuers,” Leonard Redles, PAR’s Director of Development, said. “They are basically a set of security system measures and ways to operate your business when you’re processing credit cards that minimize the amount of risk that they will have to your data being stolen and you exposing credit card numbers to theft. When you go and get that certification, you’re agreeing to a whole lot of technical stuff that you’re going to go do.”
By 2006, the PCI Security Standards Council was formed and regular updates to the standards have been coming out ever since. Like how Google constantly updates its algorithms to give the user the best experience possible, PCI standards are developed and improved upon to ensure all customers are protected in the case of a breach. Currently, the most recent version of the PCI DSS is version 3.2.1, released in May 2019. PCI DSS is a difficult certification to earn and requires the company to institute a variety of automated systems and codified practices meant to control the flow, storage and access of its data and systems.
“We make recommendations through our implementation guide for Brink about how to make sure you have a secure store environment but having that PCI secure environment is the merchant’s responsibility,” Christine Fuchs, PAR’s Sr. Product Manager, said. “Normally, if a customer is buying a POS system, they should know to go to the PCI Council site and look up that vendor. Of course, the desire would be that they are purchasing a POS system with the latest certifications.”
When a company is audited under PCI DSS regulations, several areas are closely scrutinized to ensure data is protected from cradle to grave. This includes everything from the people who process, store and transmit cardholder information, to servers, network infrastructure devices, data centers, individual workstations, and the application itself to determine where any failure points may arise.
There’s a lot of customer data that gets transmitted every time a person swipes or slides their card into a payment device. According to PCI SSC, everything from a person’s account number and identifying information on the payment card to the magnetic stripe data, PINs and other information needs to be protected by the businesses handling them.
Although PCI DSS does a lot to ensure payment transactions are secure, this is only one of several touchpoints in the process. Even if the processing and POS software are both credentialed and fully tested to meet rigorous standards, merchants might not always be as careful. Those who fail to keep up with requirements may open themselves up to several problems if a data breach were to occur.
“We have ISO [International Organization for Standardization] procedures that we would follow if a merchant should report a breach to us, and then we cooperate with whatever authorities are involved with that breach effort,” Fuchs said. “If the merchant were to report a breach, it would be immediately handled by our legal team, and there is a process and a procedure that they follow. There’s information they gather from various departments around the company if something like that should happen.”
Of course, as PAR’s Director of Development Operations Leonard Redles says, the best companies can minimize damage for themselves and their customers by maintaining their compliance. These companies stress security and invest both the time and money necessary to keep their products and procedures up to date and airtight against breaches.
“These are pretty much the core tenets that people want when you’re talking POS. They want PA-DSS, even if the application doesn’t have credit card information. They want to know that your application has been certified to be a POS application. PCI DSS, those standards aren’t just for credit cards, but have benefits for all the data that you have and system security overall.”
PCI and EMV: Working Together to Reduce Fraud
While PCI compliance boils down to a bunch of common-sense practices meant to stop your data from getting into the hands of thieves, there is another type of protection that merchants are using today to keep your numbers safe.
EMV, which stands for Europay, MasterCard, Visa, is a set of guidelines that cover payment card data. On most credit cards these days, and more so since EMV standards became mandated in 2015, you’re likely to see a chip. On that chip is your payment data, and a unique message is sent to the issuer every time the card is used to make a purchase. The idea is that these unique codes and verification measures, including chip and pin or chip and signature technology, will render payment information useless if it ends up in the wrong hands.
Although PCI and EMV target two different areas of the payment process, Fuchs says some merchants have been slow to adopt EMV technology, mostly due to financial constraints.
“It became a mandate in 2015 and many merchants were slow to initially adopt it, but it is now gaining wider acceptance and is becoming a standard,” Fuchs said. “People have been slow to adopt it because it costs money; you do have to buy devices for every store so there are costs involved.
For those who have been slow to adopt it, if they go through PCI audits, meaning they use an external audit company to come in and audit their stores, it is possible that their external auditor has given them a deadline that they need to move to an EMV solution.”
While the costs of investing in an EMV compliant solution may seem prohibitive at first, the costs are likely much lower than those associated with playing Russian Roulette using customer data. According to CardFellow, the cost of being non-compliant varies from issuer to issuer, but some companies have begun charging merchants who don’t have EMV-capable units. Worse yet, in the case of a breach, even if the merchant is adhering to PCI standards, that doesn’t make being EMV non-compliant any less of a risk.
“If they had something in their store environment that led to the breach, it could be their fault,” Fuchs said. “But [being EMV and PCI compliant] will drastically reduce your chances of being liable. The intent is to remove liability, meaning what we provide removes liability. But if they have something in their store environment, like maybe something that’s not secure with their network that allowed the breach to happen, that would be their fault.”
The liability shift from issuers to merchants regarding EMV was meant to push more merchants into adopting chip card technology, which has been successful in reducing card-present fraud since its introduction in the United States. Visa announced in March 2018 that merchants who upgraded their card readers to accept chip transactions saw a 76% reduction in counterfeit fraud dollars during a period from December 2015 to December 2017.
SOC It to Me: The Case for SOC 1 and SOC 2
Alongside PA-DSS and PCI DSS are the Service Organization Control, or SOC, reports that companies should have in place to document their internal policies. SOC 1 and SOC 2 reports are meant to document a business’s financial reporting policies but can also be used to address other areas where sensitive information is collected, including areas like Human Resources.
Redles says SOC audits are important for companies to maintain because it ensures their operations are secure against threats of any type.
“Type 1 is a verification that you have controls and Type 2 is an external auditor verification of them by reviewing system data, samples, policies and actual things that were done,“ Redles said. “They’re just generally different types of audits. There are a couple of different levels of attestation you can get for your corporate policies. You must create a certain level of policies to meet the minimum requirements, and then you can create whatever extra policies you also want. They certify that you have every policy document around the core tenets of what they’re auditing, you are following your processes, and they are sufficient to protect the data you own and maintain system security.”
Typically, SOC 1 reports cover internal controls and financial reporting. SOC 2, on the other hand, covers non-financial controls, including system security, privacy, and safety of sensitive data. Both reports are governed by the American Institute of Certified Public Accountants’ (AICPA) Trust Services Criteria, which covers everything from security and availability to processing integrity, confidentiality, and privacy.
Both SOC 1 and SOC 2 reports have Type 1 and Type 2 versions. In each case, a type 1 report looks at a company’s security or financial processes at a certain point in time. Type 2 reports, however, analyze a business’ controls over a span of at least six months. To muddy the water more, there are also SOC 3 reports, but those contain the same information one might find in a SOC 2, but in language that is a lot easier for general audiences to understand.
The SOC reports work together to provide a certain level of relief to customers, knowing that the companies they’ve entrusted their data with are using it appropriately and have the right internal controls in place to protect it and keep it private.
“For PAR, it was proving that we don’t give data away, we properly secure it, we have all the right controls in place, rotate passwords, rotate encryption keys, use MFA to connect all our remote systems, etc. It also ensures we have proper security procedures in place, teams that review everything, automated systems that maintain system security, and employees watching.”
Any company that has anything to do with the burgeoning Software as a Service, or SaaS, model is a prime candidate for SOC 2, mainly because it ties directly into software security. Thanks to its growing popularity in recent years, companies that store customer data in the cloud will also need to become SOC 2 compliant.
“SOC 1 and SOC 2 are actually just certifying your organization has proper procedures and policies and cared enough to go create them and put some effort into following them,” Redles explained. “So, if you’re not willing to do any of those things, which are pretty commonplace in today’s world for any company that’s making money and selling to larger customers, it does make you question what they’re doing.”
However, despite the cost of SOC 1 and SOC 2 auditing and compliance, Redles believes the additional safety and trust garnered by these businesses is more than enough to outweigh the required work.
“It slows you down to have to maintain these things but, at the same time, security is not meant to be convenient,” Redles said. “Convenient security is not security.”
Not All Customer Data is Financial, But it Still Needs Protection
We’ve talked a lot about what companies are doing to protect your financial and payment card information, but it’s more than likely you have a lot more data floating around on the internet than those all-important 16 digits. Data is one of the most valuable assets a company can get its hands on, and in many cases, we’re more than happy to provide it to them in exchange for something we want.
Whether it’s a 15% off coupon to your favorite online store or that can’t-miss whitepaper you have to get your hands on, we’re usually fine sharing tidbits of our personal information with companies we trust. But what happens to that data once we hand it over has become the subject of a growing number of laws meant to control how it is used and who has access to it.
Companies that do business not just in the United States but worldwide are coming to terms with how the valuable data they collect needs to be protected, while simultaneously giving consumers the power to control what happens to their information once it is collected. This push toward increased privacy shifts more of the power back to the consumer and adds safeguards meant to prevent their information from ending up in the wrong hands.
If you live in the European Union, you’ve likely come across this four-letter acronym more than a few times. The General Data Protection Regulation, or GDPR, became official in May of 2018 and essentially drags privacy and data collection into the 21st century by standardizing how companies doing business in the EU collect customer data while giving consumers more transparency into the process.
Today, when a customer provides consumer data in exchange for a newsletter, product demo, coupon offer, webinar or anything else, several steps need to happen. One of the biggest changes is that now companies must obtain consent using clear, concise language. Businesses are no longer allowed to confuse consumers with policies jam-packed with legalese. Instead, conditions must be clear and concise, allowing consumers to freely consent to what they’re doing. They also need the right to freely take back their data at any time; this is known as the right to be forgotten.
Other cool features of GDPR include the right for consumers to access their data at any time if they request it, rectify inaccurate data, complete any incomplete personal data, and even share the information you’ve collected with other companies if they choose to.
Companies are also held to a high standard when it comes to handling customer data, mandating that they always have security protocols in place to protect that data. In the case of a breach, the GDPR has consumers’ backs as well, requiring companies to alert customers and any data controllers of the issue within 72 hours, if possible. If companies drag their feet, they’re likely going to face heavy fines.
While some EU countries have taken a more modest approach to levying fines toward offending companies, the United Kingdom has come out swinging. In July, the UK’s Information Commissioner’s Office (ICO), issued a release intending to fine British Airways more than £183 million for a breach the company reported in the fall of 2018. The very next day, the ICO issued a second release intending to fine Marriott International just shy of £100 million for violating the GDPR. Although the governmental agency suggests the data breach possibly occurred in 2014, the issue wasn’t reported until late in 2018.
What’s interesting about situations like the one with Marriott International is that the governing bodies aren’t keeping fines strictly to their side of the pond. Rather, they are taking the fight to any business or entity that is violating its standards. For companies that are currently failing to comply with these conditions, they run a very real risk of drawing the attention of organizations that are bullish on protecting consumer data at any cost.
If you thought the European Union was the only governmental entity pushing for tighter data security laws, you’re incredibly mistaken. One doesn’t need to look much further than our backyard, as California is set to implement a set of data protection standards that directly rival those in Europe.
The California Consumer Privacy Act follows many of the same tenets laid out by the GDPR but does have a few distinctions that make it unique. According to the National Law Review, the CCPA, which takes effect January 1, 2020, will allow consumers to know what data of theirs is being collected, whether it’s being sold or disclosed to other third-party companies, opt-out of having their data sold and make it easier to sue companies in the wake of a data breach.
The law also comes with a 12-month lookback stipulation, which means if a consumer requests access to their personal information, companies will need to provide all the data they have for them covering a full calendar year before the requested date.
While the CCPA is meant to protect California residents from companies misusing or losing their personally identifiable information, the law impacts businesses across the United States. According to the law, any business with annual gross revenues totaling more than $25 million falls under the law, as do companies that earn more than half their annual revenue from selling consumer information to other businesses. Other businesses falling under CCPA rule include those that collect personal information and any business in the state of California (which includes thousands of entities).
There are a lot of moving parts and pieces to the CCPA, but the main idea is that all data needs to be protected, no matter where it comes from or what it’s being used for. Despite looking a lot like the EU’s GDPR rules, the CCPA does carry some unique protections that give California’s consumers even more rights. Unlike the GDPR, which typically only covers consumer data, the CCPA goes one step further and protects household data as well. The CCPA also allows consumers to ask for data deletion for any reason. This is a major departure from the GDPR guidelines, which only allow people to make a deletion request if it fits within one of six specially outlined reasons.
By expanding the rules to include any reason at all for consumers to remove their data, it takes the power from big businesses that rely on selling or sharing it with other companies and puts it back into the hands of those who are directly affected by those actions. The CCPA also gives consumers more teeth when it comes to compensation for breaches and other misuses of their data by reducing the amount of red tape associated with taking legal action.
The Future of Security
It isn’t enough today for tech companies to simply say they follow the guidelines and not take the appropriate actions of getting, and maintaining, their certifications. Although the number of data breaches in 2018 slipped compared to 2017, the number of consumer records containing Personally Identifiable Information (PII) rose more than 126%, to more than 446 million records.
With so much information freely flowing across the internet, it’s more important than ever to work with businesses and vendors that take pride in protecting that information from attacks. Whether it’s a hacking attempt, a case of unauthorized access or even accidental exposure caused by a careless employee, customers deserve to have their data kept private and out of the hands of a would-be attacker.
And if the threat of a foreign government or hacking group doesn’t scare you, consider this; the kinds of threats moving forward are likely going to become even more complex and clever. For example, attackers may latch onto artificial intelligence, using the massive amounts of data collected by machines to target vulnerabilities in networks or use its audio/video capabilities to create lifelike emails to fool someone or share misinformation with the public.
Governmental organizations around the world are taking notice of how data is transferred from consumers to businesses and are slowly changing the rules to reflect the current situation. By making it easier to be forgotten, access personal data and ensure everything is being secured properly, regular citizens now have certain guarantees that protect them from mistakes. While this probably won’t stop all breaches from occurring, it does add a level of safety and accountability that has been lacking in recent years.
Companies also benefit by way of avoiding costly penalties, fines, and lost customer trust. As the famed inventor and statesman Benjamin Franklin once proclaimed, “An ounce of prevention is worth a pound of cure.” None of these certifications are cheap, and all are time-consuming to earn and maintain, but the cost of losing valuable customer trust, and possibly revenue, because of a singular costly mistake is a risk that, for most companies, isn’t worth taking.