Healthcare Wake up Call

PCI BreachIt is hoped that Anthem’s breach of 80 million of its customers will be the kind of wake-up call for the Health Care Industry of the need to take comprehensive data security measures that the Retail industry experienced with Target and Home Depot. The fact is that information from Health Care files are even more valuable to hackers than Credit Card information as Medicare and Health Insurance information sells for a premium on websites that sell data on the black market. Anthem’s records include names, addresses and Social Security numbers which can be used to open new accounts without the individual suspecting anything until the damage has been done. With pilfered Social Security numbers, ID thieves can seek benefits from victims and even apply for employment.

The Health Care Industry and Hospitals have experienced something of a fatigue in the case of patient security and privacy having undergone over recent years the extensive and expensive requirements imposed by HIPAA. Having implemented HIPAA’s stringent security requirements, many in the health care industry have been either complacent or under the false impression that they do not need to comply with PCI DSS requirements as well. There has also been a false impression that hackers will be content to continue to focus on the the retail, restaurant and hospitality industries which had been low hanging fruit for hackers over the last few years. However, there is no substitute for the type of layered data security measures encompassed by implementing encryption, tokenization and the type of employee training that are required under PCI DSS. Hopefully, the Health Care industry will take heed of the painful lesson experienced by Anthem’s massive and costly breach.

The Year of the Hack

PCI - Payment Card Industy

It seems only fitting that 2014 should have ended with the much publicized hacking of Sony as the American public was inundated all year with one sensational account after another of damaging data security breaches. Those surrounding Target, UPS, K-Mart, Staples, Dairy Queen, and Home Depot have certainly received the full attention of the media, as it should given its magnitude. However, this publicity masks a much deeper rooted strategy of hackers toward their typical target (with a small “t”). The predominant number of security breaches, up to ninety percent, occur with small merchants such as your neighborhood restaurant, convenience store or clothing boutique. The fact is that the typical operator of a franchise is most often a small business owner and not a large corporate entity. These smaller players simply go out of business or spend years attempting to recover from their losses.

The more telling story is that hackers are successfully penetrating the very backbone of U. S. commerce because these small and medium sized merchants are much more vulnerable as they are considered by hackers to represent low hanging fruit. Rather than resigning themselves to another year of devastating breaches that drain the economy and damage the public trust, this would be a good time for executives to make a New Year’s Resolution that they will take a little time to understand where the underlying vulnerabilities are in their systems and take the relatively simple measures to severely reduce the risks. Credit card companies have developed a comprehensive list of best practices and procedures (Payment Card Industry Data Security Standards best known as PCI DSS) that U.S. merchants are required to apply in an effort to significantly lessen the prospect of hackers gaining entrance to their store’s Point of Sale systems, which act as the gateway and nerve center for merchant commerce. The overriding problem is that banks, card processors, and POS companies have failed to effectively educate merchants on these standards. As hotel managers, restaurant operators and retailers are consumed with the day-to-day challenges of running their businesses, they understandably don’t find the time to do anything but pay cursory attention to related webinars or email blasts on the subject.

The solution really isn’t very complicated. The vast majority of security breaches can be avoided by simply having the merchant understand and apply common sense practices and make a few modest investments in basic security measures. For instance, a significant number of breaches can be eliminated by employees knowing not to use default or simple passwords as well as changing passwords frequently.

Breaking down into plain English and demystifying the basics behind security mechanisms such as firewall, encryption and tokenization are really not that difficult. Although the ease of a restaurant operator having remote access to their Point of Sale terminal may be very desirable, it can help a hacker gain a path to customer credit card information if not used properly with sufficient authentication measures.

We have more than adequate security controls available today if they are simply understood and utilized properly. We don’t have to wait until the mass introduction of alternative technology, such as Chip and Pin, to dramatically reduce the volume of breaches. In fact, Chip and Pin is not a silver bullet solution. Merchants must not become complacent and lose sight of the fact that it is necessary to engage in a layered approach to keep their customer data safe which incorporates, Chip and Pin, encryption, tokenization and employee education.

Small and large merchants alike can cut through the background noise and understand how best to use accessible and effective controls and practices so that more painful data security breaches will not continually be repeated.

Franchises: What You Need to Know

Payment Card Industry

There have been a dramatic proliferation of credit card and security breaches impacting large franchisors. Many of the breaches that impact on the Franchisor’s brand and pocket book emanate from mistakes caused within their Franchisee locations. This “weak link” is difficult to plug up as franchisors are unable to exercise and push down the same security controls and system awareness to their Franchisees as they do with their own employees.

What franchisors have learned is that there is a greater impediment that they face in minimizing the risk of security breaches that is not common to the rest of the corporate world. Thanks to the legal concept of Joint Employer Liability, Franchisors attempt to stay clear of their Franchisees’ day to day operational decisions so that the Franchisor can avoid being sued by a plaintiff’s attorney seeking redress against one of their franchisees for a “local” action or omission. Although this has been an effective approach for Franchisors over the years in other areas, it is more problematic for Franchisors trying to implement a comprehensive plan to better safeguard their enterprise from the immense harm hackers can cause to their brand. As a result, Franchisors are compelled to find trusted third party PCI DSS experts that understand the dilemma and can properly walk the tight rope between Franchisor and Franchisee.

Avoid Paying Expensive Add-on PCI Fees

Payment Card Industry Education

A number of Card Processing companies add on to merchant’s monthly bill a “PCI Compliance Fee”. Oftentimes they are not doing anything more than presenting their commercial customers with something so cursory and basic that it has the effect of lulling their customers into a false sense of complacency and security. There have been too many cases where merchant clients have been breached and learned after the fact that the monthly processing “compliance” fee was nothing but an excuse for the processor to make more money without providing a meaningful or tangible service. Ask your processor precisely what they are doing to justify their add-on fee. Avoid being a victim of the worst kind of rip-off where companies exploit the real fear of security breaches, but economically capitalize on this fear while leaving their customers unduly exposed by failing to offer any real or substantive protection to their customers.