PCI Data Security Standard (PCI DSS)

201499 Resource 183005 183122 183122 1207796951142 1207797168410 Controlled PCI For Stores: Take the Short Cut or the Path to Real Protection?

Retailers focusing on PCI compliance must become more critical of point of sale systems

There is a lot of buzz around Visa’s <a href="http://www.pcisecuritystandards.org/tech/index.htm">PCI Standard</a> these days. Companies are scrambling to be compliant, auditors are experiencing Y2K kind of consulting revenue growth, and technology vendors are claiming to solve all your problems.  Many companies find themselves at a crossroads:  Do I take the short cut or the path to real, ongoing protection of customer data. For example, most PCI Level 2 merchants can do a self assessment and say they are compliant. If they are later audited and some problems are found they get 6 months to fix those problems and get compliant again, before they face any fines. But what if there’s a data breach in the meantime?Like anyone else, I am a consumer. I buy groceries Safeway and Albertsons.  I take my girls out to buy beads from small art stores and ice cream from Dairy Queen. Before walking into any of these shops I don’t think about whether the store is a level 1, level 2, level 3 merchant.  But, maybe I should.  We use credit cards in all those stores indiscriminately and even if they are all PCI compliant, the risk of our credit card data being stolen may be different orders of magnitude.  This whole mess reminds me of when I came to the <country-region w:st="on" />US</country-region /> as a student couple of decades back and in those days the <placename w:st="on" />Stanford</placename /> <placename w:st="on" />International</placename /> <placename w:st="on" />Student</placename /> <placetype w:st="on" />Center</placetype /> advised us not to use our credit cards in very small shops <place w:st="on" /><city w:st="on" />San Francisco</city /></place />. They advised us to use cash.So, if you are CEO or CFO at a company with retail stores what do you do? If you pass a PCI DSS compliance assessment how safe and secure should you feel? Others companies in the industry like <a href="http://www.baselinemag.com/c/a/Security/Hannaford-Bros-PCI-Compliance-Claims-Spurs-Questions/">Hannaford</a> were PCI compliant but still had problems.  You have the stamp of compliance but what does that mean for your business?There are no easy answers but the one thing I can guarantee is that all retailers have “STUFF RUNNING ON THEIR <a href="http://www.solidcore.com/solutions/retail_pos.html">POINT OF SALE</a> SYSTEMS” which should not be there. How would I know?  Solidcore technology ships on a huge number of POS systems and the software creates an inventory of all the software it finds on the POS and store back office systems.  The results are often shocking. And it doesn’t matter if your IT folks tell you we run anti-virus or we have a strict gold image; the reality is very different. This is not entirely the IT folks fault as stores are typically serviced by local people and employees have physical access to these machines 24x7.The <a title="Solidcore solution for point of sale systems" href="http://www.solidcore.com/solutions/retail_pos.html" target="_blank">Solidcore solution for POS</a> and Store Back Office Machines makes sure that only the right things run (runtime control) and can’t be tampered with (change control). When we designed this solution in 2003 it was not with PCI in mind, it was to solve the problems that customers were having with keeping these machines operational given that they are remotely dispersed and the fact that Anti-Virus on these machines was practically useless as the signatures were almost never updated.Our PCI solution for data center servers has now emerged as the market leader with the leading QSA’s blessing it and recommending it to their customers.  The combination of these two solutions is becoming a standard for store-based companies that are avoiding shortcuts and pursuing the path towards sustainable protection of customer data.Rosen Sharma President & CEO <a title="Rosen Sharma email address" href="mailto:rosen@solidcore.com" target="_blank">rosen@solidcore.com</a> 9 application/xml false Hannaford PCI compliance PCI DSS point of sale PCI Data Security Standard (PCI DSS) PCI Security Standards Council Web site where a copy of the PCI DSS spec can be accessed http://www.pcisecuritystandards.org/tech/index.htm Solidcore S3 Control Embedded for point of sale systems Solidcore web site with information about sustaining PCI compliance on point of sale systems http://www.solidcore.com/solutions/retail_pos.html Hannaford PCI Compliance Spurs Questions Baseline magazine article about Hannaford data breach and PCI compliance http://www.baselinemag.com/c/a/Security/Hannaford-Bros-PCI-Compliance-Claims-Spurs-Questions/ Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Comcast Install 1.0; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727) 127.0.0.1 127.0.0.1 erinswanson 67.187.228.183 false true false false true 183020 false false true false false false true 183005 blog blogsite/SolidCore/web