May 7, 2013

Security Beyond Compliance

Just because you can check the right boxes on your annual PCI assessment does not mean you are immune from data breaches. You need Security Beyond Compliance®.

What is PCI?Merchants who accept credit cards are required to abide by the rules of the Payment Card Industry (PCI) Council. The PCI Council is made up of representatives from the card brands, banks, and processors, as well as payments experts from the world’s leading merchant businesses.

PCI’s Data Security Standard, known as PCI DSS, is a checklist of more than 200 requirements that fall into 12 broad categories ranging from access control to network segmentation. They can be expensive and exhausting to comply with, and they change often enough to drive even the most security-minded merchant a little crazy. Unfortunately, not complying with PCI DSS can result in added fees and fines – not to mention increased likelihood of being breached.

The Danger of “Checklist” SecurityMerchants realize that they will be less secure without PCI, but many make an illogical jump to believe they will be totally secure if they just comply with PCI. Far too many merchants consider checking off the requirements of PCI DSS to be their full security plan. They may think, “So long as we are PCI compliant, nothing bad can happen to us.” This is absolutely untrue.

Taking a “checklist” approach to security can be a painful and expensive mistake. Merchants who feel that an annual PCI assessment guarantees their security all year long are taking a major risk. Security doesn’t happen once a year; it must be a daily consideration and part of every business decision. Yes, there are some good ideas in PCI DSS, and following them to the letter will increase your security, but you have to remember that compliance is only a moment in time, and security can’t be. Merchants must have security beyond PCI compliance.

How Shift4 Goes Beyond PCI PCI’s goal is to keep cardholder data (CHD) safe in your environment. Shift4’s goal is to not allow CHD in your environment in the first place.

With our TrueTokenization® technology, you are no longer storing real CHD. With 4Go® or i4Go® in place, your payment application will function as it always has – except it will be processing, transmitting, and storing TrueTokens and not CHD. Add Point-to-Point Encryption (P2PE) to the mix, and you can shrink your card data environment to the size of a swipe device – essentially eliminating all sensitive data in your environment.

Are these technologies required by PCI? Absolutely not. In fact, when combined, these technologies make much of PCI irrelevant to the merchant; only a few physical security questions remain. So why do we do it? Because Shift4 doesn’t settle for “good enough.” Shift4’s security meets all – and far exceeds most – of the security requirements of the PCI DSS, including:

• PCI requires quarterly external vulnerability scans by an Authorized Scanning Vendor (ASV). We do it monthly.

• PCI requires a single quarterly internal vulnerability scan. We have two different vulnerability-scanning systems test our environment every month.

• We have a dedicated Information Security staff whose primary role is to monitor security systems and respond to any nefarious activity against our systems.

• We have a dedicated compliance officer who performs mid-term security audits that go far beyond PCI’s audit requirements.

We understand that not every business can dedicate the resources we do to safeguarding card data, which is why we provide our security solutions to more than 24,000 DOLLARS ON THE NET® merchant customers across North America at no additional cost. They reap the benefit of our hard work and receive regular instruction and assistance on the key issues they need to handle internally. Ultimately, PCI is just not enough. Security Beyond Compliance is vital to the protection of your customers’ sensitive data – and ultimately, the integrity of your brand.