Technology in Business

PCI Compliance - Why it's important for you!

Russ Levanway — Wed, 03 Nov 2010 19:09:00 GMT

What is PCI Compliance and where did it come from?

In 2004 the five major credit card companies (Visa, MasterCard, Amex, Discover and JCB) formed the Payment Card Industry Security Standards Council (PCI-SSC). The council created worldwide data security standards that together became known as the Payment Card Industry Security Standard (PCI-DSS). These standards were put in place with the intention of enhancing security and decreasing fraud among a growing amount of credit and debit card transactions in today's business world. PCI looks to increase required controls around data and lessen exposure to compromise. The standard applies to all entities that process, hold, or transfer cardholder information if the card is branded with the logo of one of the five brands.

The Six Basic Requirement Categories

1. Build and Maintain a Secure Network

Install and maintain a firewall configuration to protect cardholder data.
Do not use vendor-supplied defaults for system passwords and other security parameters.

2. Protect Cardholder Data

Protect stored cardholder data.
Encrypt transmission of cardholder data across open, public networks

3. Maintain a Vulnerability Management Program

Use and regularly update antivirus software.
Develop and maintain secure systems and applications.

4. Implement Strong Access Control Measures

Restrict access to cardholder data by business need-to-know.
Assign a unique ID to each person with computer access.
Restrict physical access to cardholder data.

5. Regularly Monitor and Test Networks

Track and monitor all access to network resources and cardholder data
Regularly test security systems and processes.

6. Maintain an information Security Policy

Maintain a policy that addresses information security.

(Source: PCI Security Standards Council,

www.pcisecuritystandards.org/security_standards/pci_dss.shtml)

The Four Levels of Compliance and How Compliance is Monitored:

PCI-DSS divides card-processing organizations into four levels by number of credit and/or debit card transactions per year.

Level 1 Companies that processes over 6 million transactions per year regardless of acceptance channel, OR if Visa determines separately it should be categorized as level 1 due to increased risk of the company. These organizations must have an annual onsite review by an independent Qualified Security Assessor (QSA). They are also required to undergo quarterly scans by an approved scanning vendor which attempts to breach the company's data security.

Level 2 Companies process between 1 and 6 million transactions per year regardless of acceptance channel.

Level 3 Companies processing 20,000 to 1 million Visa e-commerce transactions per year.

Level 4 defines all companies processing fewer than 20,000 Visa e-commerce transactions per year AND all other organizations processing up to 1 million transactions per year regardless of acceptance channel. Levels 2-4 do not require an independent QSA annual assessment, but instead are responsible for a Self-Assessment Questionnaire (SAQ. The SAQ varies based on level. Also levels 2-4, similar to level 1, must take part in quarterly scans by an approved scanning vendor.

Three Important Things About PCI to Remember:

1. Compliance IS mandatory for any and all companies (regardless of size, revenues, etc) that process credit card transactions from the mentioned credit card companies.

Any and all entities that accept credit or debit payments were required to be compliant to PCI standards by Jan. 1 2009. This is usually defined in the contracts that set up an organization with the ability to process these transactions. A new stricter enforcement of the regulation was initiated on July 1^st 2010 to ensure continued compliance.

2. Large fines can be applied to organizations that are not PCI compliant.

The card companies have declared they will up the fines to anywhere from $5,000 to $500,000. Additionally they have the power to remove a company's ability to accept credit and debit payments. Visa has expressed they will waive the fees of a security compromise if the company can prove they were in fact PCI compliant. Again these fines apply to all organizations processing any number of credit card transactions.

3. Third party processing companies are not exempt from the compliance standards.

These organizations must still assume full responsibility of compliance although in some cases risk may be slightly lessened.

Concluding Remarks

The PCI Security Standards Council is increasing focus on the enforcement of these standards. They continue to emphasize the serious consequences that can affect all business entities if they do not take the necessary steps to prove they are in fact PCI compliant. Make sure to check with your IT service provider to ensure your business is fulfilling the requirements.

Check Settlement in the Digital Age

Ken Long — Thu, 11 Mar 2010 01:41:00 GMT

In our most recent Softec meeting we were treated to a discussion and demonstration of how technology is helping make paper records more accessible, easier to transport, more disaster-resistant, and more environmentally friendly. In the banking industry, the same thing is happening with the checks you write. In fact, these days the paper check you write to pay the mortgage, your water company, or even your teenage babysitter may cease to exist just moments after they receive it!

Up until early last decade, the tens of billions of paper checks written in the United States were settled physically. Each bank would bundle up their checks and ship them in trucks and airplanes either to each other or, mostly, to the Federal Reserve. The Federal Reserve would then sort them out and send them (again by trucks and airplanes!) to their originating banks. As recently as 2000, each weeknight the Fed made nearly 200 flights to move 23 tons of checks with a face value of $13 billion among 45 endpoints and five hub cities! The delays caused by the grounding of all air traffic after 9/11 drove home the point that physical transport of all this critical paper was inefficient and prone to disaster.

Now, practically all checks are settled as electronic images. In October, 2004, the Check 21 Act removed legal barriers to the digital settlement of check images, and technology took it from there. Paper went from 100% of check volume going through the Fed to just 1% in less than 6 years. And the Fed now has only one paper check processing site. It's in Cleveland, in case you're planning a trip.

What does all this mean to you? Well, the parts some people grumble about are that checks are clearing faster (no more playing the float) and we can't get our original paper checks back from the bank anymore. But the benefits are enormous. With a small desktop check scanner, many businesses are using remote deposit capture software to make all their deposits online, skipping daily trips to the bank. Others are scanning checks right at the cash register and shredding them or handing them back to the customer. These companies get their money faster and much more conveniently, with less opportunity for errors or fraud. Energy savings from not having to fly planes all over the country have been dramatic. And the benefits aren't limited to businesses. Some institutions are experimenting with technology that lets consumers deposit checks by taking pictures of them with their smartphones!

Paradoxically, all this technology to help settle paper checks electronically has made it easier to keep using them just as the industry had hoped to kill them off. But with the increasing popularity of electronic funds transfers, online bill payment, and debit cards, the volume of checks written will continue to decline over time and your kids or grandkids may never even see one.

Haitian Relief Contributions and Texting

Eric Schwefler — Tue, 26 Jan 2010 23:32:00 GMT

On January 22, 2010, President Obama signed into law a bill that allows donors to accelerate the income tax benefits of charitable cash contributions for the relief of victims of the earthquake in Haiti. The new law allows individuals who make charitable contributions to aid Haitian earthquake victims to elect to claim an itemized charitable deduction on their 2009 tax return (instead of having to wait until next year to claim the deductions on their 2010 tax return). The election applies only to Haitian relief contributions made in cash after Jan. 11, 2010, and before Mar. 1, 2010. If the election is made, Haiti relief donations are deductible on the 2009 return, not the 2010 return.

While the speed with which our federal government acted and the generosity of the American people in response to this catastrophe are to be applauded, there is also a technology aspect of the American aid response that is worthy of note. On a scale never seen before, Americans provided much needed financial aid in response to a natural disaster through texting. In contrast, telephone-based pledging and web-based pledging have been used widely to raise funds in response to past disasters. In those cases, a credit card was generally used to finance the pledge. This time, a quick and simple text made the contribution with your telephone carrier providing the credit via a charge to your monthly bill. Although many may view texting as common as the air we breathe, this transaction is significant as it represents an ongoing extension of the delivery of technology reducing transactional barriers and enabling significant segments of the population to help others in an immediate and a meaningful way. Of added importance is the pragmatic approach the federal government has taken in response to the current technology of giving. The new law allows a telephone bill to satisfy the recordkeeping requirements to substantiate the federal income tax deduction. Rather than a slow-to-react bill steeped in the traditional requirements imposed for documenting income tax deductions, our federal government embraced the reality of the situation and passed a very sensible, current, and effective piece of legislation.

My appreciation goes to the American people for their selfless charity, and to the U.S. government for getting it right while it matters.

Required Disclaimer: Pursuant to IRS Circular 230, the Internal Revenue Service requires us to inform you that any tax advice included herein is not intended or written to be used, and it cannot be used by any taxpayer for the purpose of avoiding penalties that may be imposed by the IRS on the taxpayer.

Monitoring and Proactivity - How to keep your systems up, running and available.

Russ Levanway — Mon, 18 Jan 2010 22:13:00 GMT

Monitoring

Proactive vs. Reactive

In the world of Information Technology (IT), there are two primary models of support. Most companies are accustomed to a break/fix model, where a computer or software system goes down and it is necessary to pay an IT specialist to get they system restored to normal functionality. This model has serious limitations. First, you are paying your IT specialist while you are down. The longer your downtime, the more you pay. Second, while a critical system is down, your business is probably losing productivity and money.

Instead of taking this reactionary break/fix approach, what if your IT infrastructure is maintained on a proactive basis? Instead of paying your IT provider when the system is down, what if you paid a fixed monthly fee to keep your systems up? In so doing, you shift the burden of minimizing downtime to your IT provider. If they have to devote a day of tech time to bring a system back up without additional pay, their inclination will be to do what is necessary to catch problems before they start.

Does this sound unrealistic? Actually, it is not, and the new industry standard model for IT support is a proactive, fixed cost approach. This is called Managed Services.

Becoming Proactive through Monitoring

There are many elements to a proactive approach to IT support. One of the cornerstones of the proactive model is systems monitoring via what is called a “monitor set.” A monitor set is a grouping of alerts that are designed to notify your IT staff of a software or hardware incident. For example, a monitor set designed to watch your e-mail server would check to see if the server is up and responding to connections from other email servers, if web access to email is up and running, if there is enough space on the servers hard drive, if the spam filter is running, and if the email database is running. If there are any issues, the monitor will send an alert to an IT person responsible for fixing the problem.

Monitors can be configured based on certain thresholds. For example, if you have less than 10% of free space on your hard drive, or if your antivirus software is more than 10 days out of date, an alert can be generated and sent to your IT staff. Also, in some instances, monitors can be configured to catch the early warnings before a system goes down. With the information from a monitor, your IT staff may be able to prevent a downtime incident from even occurring.

Of course, no matter what model you have, there is going to be some downtime and outages. Software has bugs, and it crashes occasionally. Systems slow down over time due to aging hardware and newer software with heftier requirements. Hardware, especially hard drives, can suddenly fail and leave you in the lurch. An extended power outage may bring your systems to a halt. But if you can reduce your downtime by 50% or more, and shift the cost burden of downtime to your IT provider, wouldn’t that be a great deal for your business?

Russ Levanway is the CEO of TekTegrity, Inc, an IT Strategies and Management firm based in San Luis Obispo, California. TekTegrity provides premium IT services to businesses, government, education, and non-profit organizations. For more information about TekTegrity, go to www.tektegrity.com

What is VOIP and should I be using it in my business?

Jeff Buckingham — Fri, 15 Jan 2010 04:00:00 GMT

One question that is on the minds of many business owners is, "Should I be using VOIP in my business?" This is a great question and as usual with many things, the answer is, "that depends." Many people assume that there are cost savings associated with using VOIP services. This is sometimes true but VOIP services can actually be more expensive in some business applications.

VOIP stands for Voice Over Internet Protocol and the name is applied to a wide range of services that convert voice telephone calls to a stream of data which can be passed over private networks or the Internet. There are 3 main areas of VOIP that could be used in a business.

Consumer VOIP services - These are free or low cost services such as Skype, Vonage, or Google Voice that are typically used for their enhanced features or for saving money on long distance telephone calls. These services are especially popular for placing International calls. Skype is also gaining momentum as a video conferencing service. These services often do save money but the quality of calls can vary since the provider has no control over the user's Internet connection. If a call is poor quality the user can easily place the call over a regular telephone line. These services do work especially well to save money when an employee is located in another country. The amount of money saved is usually significant compared to buying traditional telephone service. If occasional calls are poor quality they can be placed over a land line telephone so there is little disruption to the business.
Business VOIP services such as hosted PBX - Hosted PBX services are becoming quite popular with business. A hosted PBX is a telephone system that is housed outside of the customer's office in the provider's network. The customer uses an Internet connection and VOIP telephones connected to their local area network. The advantage of these services can be a fixed cost per month with unlimited calls as well as using the same telephone system for employees with a common voice mail and dialing plan. The disadvantage of these services can be service outages caused by the customer's local area network, the internet connection, or the hosted PBX provider. It is also often difficult to diagnose the source of the service outages resulting in frustration for the customer and service provider. The highest quality hosted PBX providers will provide their own Internet connection and often insist on managing the customer's local area network so they can make sure that service works properly. Some customer's save money with hosted PBX but many do not due to the cost of local area network upgrades. These systems need to be looked at on a case by case basis.
VOIP based business telephone systems - These systems are provided by placing the telephone hardware at the customer's office. The features are very similar to a hosted PBX and the telephone lines can be VOIP based (called SIP trunks) or traditional telephone lines. The initial cost of these systems is often 20 to 50% higher than a traditional telephone system but there are long term savings on maintenance, for example; employees can simply plug their phone into any network jack in the office. There is often a requirement for upgrade or replacement of the local area network equipment for these systems to function properly.

VOIP is growing rapidly in business telecommunications and there is no question that this trend will continue. In spite of the popularity there are many customers who have experienced significant service interruptions due to poorly planed installations. Even the best installations do tend to have a higher incidence of occasional unexplained technical problems. It is highly recommended that hosted PBX and other business installations be handled by a trained professional with a past record of successful installations. Make sure that thorough reference checks are performed on any vendors before the project is implemented and that the system is fully tested under real life conditions before the installers leave the building.

Please feel free to contact Jeff Buckingham by visiting his profile page.